SEC Tells Public Companies to Up Their Game in Assessing and Disclosing Cyber Risks

April 5, 2019  Jeff B. Copeland

The Securities and Exchange Commission recently issued an updated  guidance statement on cybersecurity disclosures that’s a detailed warning to public companies to shape up their cyber risk assessment, reporting and management programs.

Significantly, the SEC expands its guidance beyond a focus on disclosing cyber attack incidents, and into new territory: ongoing cyber risk management procedures, with an emphasis on reporting material risks and breaches and the associated costs.

Listen to our webinar: New SEC Guidance on Cyber Risk - Can You Lead the Change?

Generic lists of cyber risk factors don't cut it anymore

This new emphasis on assessing the materiality of cyber risks point to the dawn of a new era, when it is no longer acceptable to merely list 'risk factors' and describe them in qualitative terms. The SEC is setting a new measurement standard by which the 'costs' or losses associated with cyber risks and breaches need to be assessed in monetary terms, in order to determine the significance of their impact on the business and its shareholders.

The SEC document updates its 2011 guidance that cybersecurity risks and incidents had to be publicly reported if they were “material” to the finances of the company. The effectiveness of that order has been widely questioned over the years. Some companies merely listed cyber risk factors in general descriptive terms. Many others, it’s suspected, have given themselves a generous interpretation of “material” and continue to conceal embarrassing, costly cyber incidents. There are multiple cases from 2017 that support this thesis. In this latest guidance, the SEC says it expects companies to disclose material incidents in a timely way, even before a thorough investigation is completed.

Cyber risk = business risk and needs to be quantified and communicated as such

The SEC’s new directive further emphasizes the fact that cybersecurity is a core business concern and it must be managed through a business lens. The message should be loud and clear - the SEC is tightening the screws and expecting companies to immediately evolve their risk programs to provide a true understanding of the business impact of a wide variety of cyber risks.

The statement adds a new emphasis on companies disclosing their significant risk factors, in financial terms, in their current and periodic reports.

Disclosures should cover:

  • Frequency of cyber events, based on past experience
  • Probability and magnitude of incidents (costs, in financial terms)
  • Adequacy of controls
  • Third party suppliers that might create material risks
  • Amount of insurance coverage
  • Potential reputational harm
  • Relevant laws and regulations
  • Potential fines and judgements from cybersecurity incidents

The SEC also gives detailed guidance regarding cyber for the Management's Discussion and Analysis (MD&A) in financial reporting, saying that companies should be explicit about discussing in monetary terms such potential costs of cybersecurity risk as incident response, loss of intellectual property and implementation of controls.

The new SEC guidance goes beyond disclosure requirements and warns companies to “adopt comprehensive policies and procedures” and “assess their compliance regularly.” Executive officers must personally certify  the effectiveness of cybersecurity controls, as part of Sarbanes-Oxley Act reporting. And companies are given notice to do ongoing “timely collection and evaluation of information potentially subject to required disclosure.” Finally, the SEC directs that companies disclose the role of their boards in cybersecurity oversight.

"Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents."

Rethink existing cyber risk quantification models and tools

A new day is dawning in cyber risk - and RiskLens is here to help usher in this new age.

  • RiskLens is the only software platform purpose-built on FAIR, the global standard cyber risk quantification model, that can immediately deliver a solution to this new SEC guidance.
  • Many of the biggest brands in the world - listed on US stock exchanges - have already deployed RiskLens to quantify, mitigate and communicate cybersecurity risk in financial terms.
  • RiskLens clients span the Fortune 500, with industry leaders in Retail, Financial Services, Healthcare, Technology, Hospitality, Manufacturing, Oil and Gas, and Consumer Packaged Goods.

Contact us to learn how we are helping them. We want to help you too!