The Harvard Law School Forum on Corporate Governance recently published an article, Proposed SEC Cyber Rules: A Game Changer for Public Companies, that outlines how new SEC rules could require an in-depth understanding of the potential liabilities related to cyber risk for public companies. This would have a major impact on how organizations measure and discuss infosecurity risk.
The SEC issued a guidance statement on cybersecurity disclosures on cyber risk in 2018 and clarified it with some enforcement actions since. The statement is a detailed warning to public companies to shape up their cyber risk assessment, reporting, and management programs. Some critics considered these guidelines somewhat vague and not nearly prescriptive enough.
Adam Lamantia is an Account Executive for RiskLens
The new proposed rules “appreciably increase corporate accountability on cyber risk from the boardroom on down,” the Harvard Law authors write. The rules would require public companies to report material cyber incidents within four days of discovering the event. This requires organizations to get a firm grasp on materiality in the context of their own business.
Defining Material Risk
What constitutes materiality? It’s more than just equity risk. It’s other financial costs, fines, penalties, and litigation costs, to name a few. Calculating projected cyber risk is not a widespread practice currently, even though estimating potential liability is quite common in other industries, such as banking and manufacturing. When organizations do calculate cyber risk exposure today for their top risks, it is not comprehensively measured and defined. Definitions are in broad categories like Data Breach, the Cloud, etc. and often expressed in non-financial, high/medium/low terms.
“This new provision will not only require companies to understand materiality in the context of a breach, but it will have the effect of challenging boards and management teams to understand materiality in financial terms before breaches occur,” the Harvard authors write.
Meeting the obligations of the proposed rules change would require organizations to gain an ongoing financial understanding of their top cyber risks. With cyber risk quantification, public companies can conclusively determine if any risk is material and therefore must be reported to the SEC.
The board of the FAIR Institute has called on the SEC to direct public companies to proactively disclose top cyber risks in financial terms.
Further, with a quantified approach, businesses can gain visibility into how cyber risk could impact their business operations. As the Harvard article details, there was a cyber incident at Toyota recently that resulted in shutting down part of their operations. The attack didn't directly cause the outage, but the lack of understanding regarding how cyber risk impacted business operations forced Toyota to shut down to control the impact.
In situations like this, it's important to have a financial understanding of probable cyber incidents so a company can compare likely cost to their thresholds of materiality. A $100b company could absorb the costs of a $1m incident. A $100m event would be another story. This requires detailed understanding of the top risks within the context of the business.
Necessity of Risk Quantification
Essentially, the SEC is requiring companies to run an ongoing cyber risk quantification program. How else would they be ready to report a material impact in four days? If these rules went effect tomorrow, the result would be like a board member suddenly asking for risk to be reported in financial terms in time for an upcoming quarterly meeting. After a desperate scramble to comply, many teams’ answers would ultimately be "No, we can't do that". It is one thing to fail to deliver to the board, another thing entirely when the SEC is involved after a breach.
Many innovative cyber risk leaders have already made the move from qualitative to quantitative risk assessments with Factor Analysis of Information Risk (FAIR™), the international standard for quantifying cyber and technology risk in financial terms.
Advance your career in risk or security.
The adoption of FAIR-based programs helps public companies make risk-informed decisions, optimize their cybersecurity investments and, most pertinent to the proposed rules change, address regulatory and privacy requirements.
By defining specific loss events on mission-critical systems and business processes and helping companies measure their liabilities (impact on productivity, exposure to fines/judgments, etc.) FAIR programs enable organizations to calculate their material risk for a variety of scenarios.
As the authors of the Harvard article say, “The writing on the wall is clear. Significant regulatory change to cyber risk is inevitable as the SEC begins to finalize these rules. These changes however aren’t anything that a high-performing corporate board and management team can’t, or more accurately, shouldn’t already be doing.”