In a speech this week, Securities and Exchange Commission Chair Gary Gensler said he has asked SEC staff for recommendations to update requirements for cybersecurity practices and cyber risk disclosure by public companies, as well as financial sector companies and their third-party vendors.
“A lot of [securities] issuers already provide cyber risk disclosure to investors,” Gensler said. “I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
Those remarks were right in line with a letter from the FAIR Institute Board of Directors to the SEC Chair earlier this month, asking that reporting by public companies “align to a more business-focused approach to cyber.
“Our experience has proven, time and time again, that shareholders need reports that communicate the magnitude of cyber risk in terms that they can understand. We have found that communication of the impact of cyber risk in financial terms, in dollars and cents, is the best approach.”
Factor Analysis of Information Risk (FAIR™) is the international standard for quantifying cyber and technology risk in financial terms. With risk quantification, public companies can conclusively determine if a risk is material and therefore must be reported to the SEC. To date, the Commission has given general guidance on materiality, but not required a standard of “consistent, comparable and decision-useful” (in Gensler’s words) that quantification could satisfy.
SEC guidance does call for public companies to give “reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements.” As a standard methodology, FAIR gives that “reasonable assurance.”
The FAIR Institute Board letter asked the SEC specifically to:
- Revise its guidance on audit requirements for the Sarbanes-Oxley Act to include cyber risk quantification
- Enforce cyber risk assessment and disclosures both pre- and post- any probable cyber loss event. Current guidance only requires disclosure after an incident occurs; the FAIR Institute called that insufficient incentive for proactive risk mitigation.
Gensler did say that he has also asked staff for updated post-event disclosure requirements.
Learn more in these FAIR Institute blog posts: