The Securities and Exchange Commission recently proposed amendments to its rules that would require reporting on cyber risk in a fast, “consistent, comparable and decision-useful manner,” as SEC Chair Gary Gensler said – a goal that effectively calls for regulated public companies to run a cyber risk management program based on risk quantification in financial terms, using transparent, standard models like Factor Analysis of Information Risk (FAIR™).
Nick Sanna is President of the FAIR Institute.
Let’s unpack the proposed rules and their implications for cyber risk management, and then consider how the Commission could go farther to incentivize public companies to more proactively assess their top risks and plan their defenses. (See the entire proposed rules, the fact sheet and press release.)
1. Report Material Cyber Incidents within Four Days
Companies would need to determine that an incident posed a material risk and report it to the SEC within four days, a rapid turnaround that virtually assumes that the organization had previously compiled loss data and run risk analyses for the financial impact of Confidentiality, Integrity, and Availability scenarios.
2. Report on Ongoing and Cumulative Effect of Cyber Incidents
Costs of cyber incidents can come due over many months, particularly for fines and judgments, so the new rules would require updating the impact of previously disclosed incidents as well as when a “series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate” – suggesting a capability to aggregate cyber risk scenarios in financial terms and an ongoing quantitative cyber risk assessment program.
3. Disclose Policies and Procedures for Cyber Risk Management
The proposed rules aim to raise the curtain on “a registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks,” on risk governance by the board, and on management’s role in “assessing and managing cybersecurity related risks.” In other words, the onus is on the organization to show that it runs cyber risk management based on transparent and defensible practices.
Though the proposed rules speak in restrained legalese, the SEC is clearly warning public companies that it means business: “There is growing concern that material cybersecurity incidents are under-reported, and that existing reporting may not be sufficiently timely.”
FAIR-based Risk Management Meets the Spirit of the SEC’s Proposed Rules
The proposed amendments add to prior cyber risk guidance, including one that requires public companies to disclose how cybersecurity risks and incidents are likely to impact the company’s financials and the breakdown in costs.
Public companies looking to comply with the spirit and letter of these proposed SEC rules should consider a risk management program based on FAIR, the widely accepted, open standard for quantitative analysis of cyber risk, recognized by the National Institute of Standards and Technology (NIST) and other authoritative bodies. FAIR provides cyber risk analysis in financial terms that are “consistent, comparable and decision-useful” and are completely transparent and defensible as a basis for an SEC-regulated company’s policies and procedures on cyber risk management.
The FAIR Institute Encourages the SEC to Be Even More Proactive on Cyber Risk Disclosure
The FAIR Institute applauds the SEC for stepping up reporting requirements on cyber loss events but we encourage the Commission to do better still.
In January, 2022, the Board of the FAIR Institute sent a letter to SEC Chair Gensler asking that the Commission explicitly direct disclosure of top cyber risks in financial terms as a “critical means to better understand the impact of cybersecurity events and to determine the adequacy of risk mitigation measures.”
“Shareholders need reports that communicate the magnitude of cyber risk in terms that they can understand,” we wrote to Chairman Gensler. “We have found that communication of the impact of cyber risk in financial terms, in dollars and cents, is the best approach.”
The Board also urged the SEC to enforce through its disclosure rules and Sarbanes-Oxley reporting “cyber risk disclosures both pre- and post- any probable cyber loss event,” not just after an event, as the current and proposed rules require.
The SEC’s position now “does not provide sufficient incentive to proactively assess the materiality of top cyber risks and adopt adequate risk mitigation measures and will continue to result in too many breaches that could have otherwise been prevented,” our letter said.
“It is time for organizations to push to the next level of maturity, which is to align to a more business-focused approach to cyber,” we wrote.
The FAIR Institute sincerely hopes that the SEC will lead in the movement to a more proactive stance on disclosing and managing cyber risk in quantitative terms and we offer our support and expertise for any proposals the Commission wishes to consider in that regard.
Join the FAIR Institute, receive a complimentary consultation with a FAIR Enablement Specialist.