“A lot of [securities] issuers already provide cyber risk disclosure to investors,” Gensler said. “I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
Those remarks were right in line with a letter from the FAIR Institute Board of Directors to the SEC Chair earlier this month, asking that reporting by public companies “align to a more business-focused approach to cyber.
“Our experience has proven, time and time again, that shareholders need reports that communicate the magnitude of cyber risk in terms that they can understand. We have found that communication of the impact of cyber risk in financial terms, in dollars and cents, is the best approach.”
Factor Analysis of Information Risk (FAIR™) is the international standard for quantifying cyber and technology risk in financial terms. With risk quantification, public companies can conclusively determine if a risk is material and therefore must be reported to the SEC. To date, the Commission has given general guidance on materiality, but not required a standard of “consistent, comparable and decision-useful” (in Gensler’s words) that quantification could satisfy.
SEC guidance does call for public companies to give “reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements.” As a standard methodology, FAIR gives that “reasonable assurance.”
The FAIR Institute Board letter asked the SEC specifically to:
Gensler did say that he has also asked staff for updated post-event disclosure requirements.
Learn more in these FAIR Institute blog posts:
The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR
Webinar on Demand: Jack Jones' Tips on SEC Cybersecurity Guidance