The board of the FAIR Institute sent a letter to Gary Gensler, Chairman of the Securities and Exchange Commission, calling for the SEC to direct disclosure of top cyber risks in financial terms as a “critical means to better understand the impact of cybersecurity events and to determine the adequacy of risk mitigation measures” in all cases, not just after a data breach.
“After all, how can organizations effectively prioritize cyber risk and size mitigation initiatives without understanding its impact on the bottom line?” the letter asked.
Specifically, the FAIR board asked the Commission to:
- Revise its guidance on audit requirements for the Sarbanes-Oxley Act to include cyber risk quantification
- Enforce cyber risk assessment and disclosures both pre- and post- any probable cyber loss event. Current guidance only requires disclosure after an incident occurs; the FAIR Institute called that insufficient incentive for proactive risk mitigation.
The board based its position on the findings of the US Cyberspace Solarium Commission, established by Congress as a bipartisan group of lawmakers and cybersecurity experts that reported out 75 recommendations in 2020, many in line with the spirit of the FAIR movement – as the Commission said, “cyber risk is business risk.”
“It is time for organizations to push to the next level of maturity,” the FAIR Institute letter stated, “which is to align to a more business-focused approach to cyber. Our experience has proven, time and time again, that shareholders need reports that communicate the magnitude of cyber risk in terms that they can understand. We have found that communication of the impact of cyber risk in financial terms, in dollars and cents, is the best approach.”
The FAIR Institute counts over 12,000 members representing 45% of the Fortune 1,000 Companies and 25 U.S. Federal Government Agencies. Join the Institute now - it’s free to qualified professionals.