In his recent Senate confirmation hearing, the pressure was on Gary Gensler, the new Administration’s nominee to lead the Securities and Exchange Commission, to “upgrade the SEC’s climate-risk disclosure requirements,” as the Wall Street Journal reported. Senators would have done well to focus on upgrading disclosure for cyber risk.
It's time to stop the opaqueness of cyber risk reporting. Many companies still assess cyber risk by assigning color codes or high-medium-low ratings. New models and standards for quantifying cyber risk have emerged and have been in use for years now – with Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, chief among them. Recent tech advances and greater availability of data are making the assessment of cyber risk easier than ever.
Boards and regulators should demand better disclosure of cyber risk - in financial terms - along with evidence of adequate remediation plans. The Cyberspace Solarium Commission last year did call for the quantification of cyber risk and urged the SEC to start including quantitative cyber risk assessments – now a mere guidance - as part of SOX audits.
I hope that, once the new head of the SEC is confirmed, the agency will move ahead with the recommendation and help organizations give themselves the means to finally size their cyber risk which will provide the right impetus and business support for more effective risk mitigation strategies. It's time for cyber risk to be held to higher standards to ensure we stop the erosion of trust and wealth due to cyber attacks.