Tips and insight from Jack Jones and Jack Freund, authors of the FAIR book...
The Securities and Exchange Commission’s new guidance on cyber risk disclosure has shaken up infosec teams, C-suiters and board members at public companies over the past two weeks. The new directives significantly raise the bar in terms of how cyber risk is to be assessed, managed and reported. While the guidance is robust, there are many areas still open to interpretation.
The FAIR model and a quantitative approach to risk can point a way through this new red tape jungle — and, for the best possible guidance on the SEC's new expectations, we turned to Jack Jones and Jack Freund, authors of the FAIR book, Measuring and Managing Information Risk.
“This is definitely another stake in the coffin for those who reject quantifying cyber risk,” says Freund. “The potential for loss that the SEC is expecting firms to provide guidance is really around loss exposure and liability. FAIR was built to solve just this problem: measuring value at risk from cyber incidents.”
Here are key points Jones and Freund think you should know in preparing to meet the new requirements from the SEC.
Clarification of terms needed – apply some disciplined FAIR-style thinking.
Jones suggests that the SEC's use of the term "incident" is perhaps not as clear as it could be. For many practitioners, an incident could be anything from an actual loss event to an audit finding. Likewise, the word "risk" is very often used inconsistently throughout the profession. In order to provide consistent interpretation, use, and reporting within the context of the SEC's intent however, "incident" should be interpreted as actual loss events that have materialized, and "risks" should be interpreted as potential loss event scenarios.
There are three dimensions to SEC reporting, and FAIR analysis can help with each.
1. Reporting on cyber incidents the company has suffered during the reporting period.
- This is all about reporting on loss history/past cyber incidents, and in FAIR terms, that’s about impact, not frequency, says Jones. So your best approach is to focus on the Magnitude side of the FAIR model, especially the six forms of loss in cyber incidents (productivity loss, response cost, etc.) laid out in FAIR to evaluate and report your organization's material loss experience.
2. Reporting on ongoing cyber risks to the company—in other words, potential cyber incidents.
- Here’s where the FAIR model most comes into play. “You absolutely need something like FAIR to evaluate the probable frequency and magnitude of future cyber loss events,” says Jones, “and to generate a quantified view of loss exposure if you’re going to meet this dimension of the SEC's requirements.”
3. Reporting on the condition of the company’s security program.
- Jones cautions that the guidance here has some contradictions: “On one page they say they don’t want details that would increase the organization’s exposure, then on another page they lay forth a requirement to report security program efficacy information that could increase exposure. And on a third page, they mention cybersecurity budget, which isn’t useful – it’s not how much you spend, it’s how well you spend it.”
- Freund suggests that companies look on this directive as “an opportunity to be very consistent. If you start with FAIR analysis on a granular level, then aggregate up to the level of materiality [see more below], you have a mature, very linear approach.”
Meet the guidance on “board risk oversight” in a meaningful way.
The SEC document has some direct language about the requirement to disclose “how a board of directors is discharging its risk oversight responsibility in this increasingly important area” of cybersecurity. “The intention is right but it doesn't feel like they flesh it out in a way that’s as useful as it could be,” Jones says. “The focus of this section of the guidance is on board reporting and engagement – which is a good thing – but if the content of those board discussions and reporting revolves around heat maps and/or KRI's and KPI's that aren't tightly coupled to loss exposure levels, it’s not really meeting the SEC's intent.”
A big decision public companies face on SEC cybersecurity disclosure rules: What qualifies as “material” and so requires disclosure? FAIR provides a structure.
This goes to the heart of the any public company’s response to the guidance document. Companies must report on material cyber risks or incidents or, as Jones says, information that “might cause an investor to invest differently.” Given the lack of specific guidance on a protocol for determining what's material and what's not, that leaves companies a lot of latitude to make subjective calls. Formulas for determining financial reporting materiality exist, but there are more than a few of them and none of them speak directly to cyber-related exposure. In order for cyber-related disclosures to be consistent and meaningful, that has to be resolved. Jones says he's working on just such a protocol, which he'll share in a future blog post.
FAIR already provides the structure, though. A FAIR analysis shows a range of outcomes for loss exposure in monetary terms, and essentially, companies are “putting a stake in the ground and saying anything beyond this level of loss and/or exposure, we think would be impactful for the investor community,” says Freund. “Another way to look at it is risk appetite” – a monetary figure that appears as a comparison point in FAIR analysis results against a materiality threshold.
Let’s get hands-on: 5 steps toward SEC compliance through FAIR analysis.
- Identify the loss event scenarios relevant to the organization. This blog post, Where to Find Risk Scenarios to Analyze, lays out the high level process of identifying risks.
- From those relevant scenarios pick the Top 10 or whatever number covers your top risks. Read Jones’ blog series: Best Approach to Prioritizing Risks.
- Run a FAIR analysis of the top group to determine which present the greatest loss exposure. Often, Jones says, the top three or so represent 80 per cent of the overall risk for the organization. (Note: there are tools for running enterprise-grade FAIR risk analyses, such as RiskLens)
- Determine what monetary figure the organization wants to use for the materiality line. Until a standard protocol exists for materiality, organization boards should define it, probably in line with how it's been defined for their other financial reporting.
- Take a look at the distribution of loss exposure in your FAIR analysis results and draw a line in the sand, for instance, any analysis where the 80th percentile exceeds the materiality threshold – that’s what the organization would disclose.
And a final caution/tip from Jack Freund:
“Although this is for public companies, I think it’s foreshadowing what we’ll see across the board from regulators. Any regulated company should look at this as a runway to get ready.”
Jack Jones is Chairman of the FAIR Institute.
Jack Freund is Director for Cyber Risk at TIAA.