Listening to our expert panel in this week’s webinar made one thing clear: The new rules on cyber risk disclosure approved by the Securities and Exchange Commission will raise the bar for risk analysis, pushing security and risk managers toward cyber risk quantification. But the SEC regulations also introduced fresh uncertainty, particularly around the new 4-day timeframe to report on incidents as well as the definition of “material risk.”
Plan your response to the new disclosure rules - watch the webinar on demand:
What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
FAIR Institute Contributing Membership is required to view. Join now!
On the panel:
- Jack Jones, FAIR Institute Chairman, creator of the FAIR Model for quantitative risk analysis
- Richard Borden, Cybersecurity and Privacy Partner, Frankfurt Kurnit Klein & Selz
- JR Williamson, SVP & CISO, Leidos
- Cody Scott, Senior Analyst, Security & Risk, Forrester
Among the many insights on cybersecurity regulation from the discussion:
Guidance on defining materiality, the threshold for disclosing cyber incidents.
“
From a risk practitioner standpoint, I need to be able to measure impact,” Cody Scott said. “If it’s material it’s measurable…That leads me to thinking risk quantification and FAIR. By putting that process in place you’re going to have a leg up on being able to determine what’s actually important.”
But material impact can be more than financial loss exposure to cyber risk.
While making policy for cybersecurity, the SEC’s mandate is to look out for what a “reasonable investor” would find material information to make an investment decision, quite a different mindset from cybersecurity.
“It’s going to be very difficult for companies to actually comply with this because there’s a very different language between security disclosure and cybersecurity,” Richard Borden said. “And I don’t believe we have the tools at the moment to really bridge that gap but that’s going to happen very quickly.”
Rules on incident reporting raise problems.
The SEC expects companies to disclose (in a Form 8-K filing) a cyber incident within four days of determining that it will have material impact.
JR Williamson said “I am concerned that with this four-day (rule), once you believe that you have something material, you are going to create more shields up. Instead of sharing this information that is essential for other corporations that could be attacked by the same adversaries, now that closes down because we are worried about potential SEC violation.” In particular, he said that could degrade the effective threat intel sharing among defense companies like Leidos.
The new SEC cyber risk disclosure rules will mandate changes beyond cybersecurity and across the organization.
Companies must make yearly disclosures (Form 10-K) describing their processes for assessing and managing material cyber risks, including the board of directors’ oversight and management’s role and cyber expertise.
“It’s a forcing function,” Cody Scott said, to do a gap analysis on risk management processes – and more generally communicate across silos. JR Williamson advised CISOs to reach out to Legal and Finance. “If you don’t have a good relationship with your General Counsel, you should work on that right away. Working issues that have legal or regulatory requirements is huge.”
Richard Borden added “All this rolls up to Enterprise Risk Management and that’s where they will struggle…You have to understand your controls, not just cyber but the disclosure controls to translate and get that up to the right places…to understand how it all comes together and then is described to the public.”
Start compliance with SEC disclosure rules here…
Jack Jones concluded the session with this set of questions for CISOs to ask themselves and their organizations to begin the journey to SEC compliance:
Watch the webinar on demand:
What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
FAIR Institute Contributing Membership is required to view. Join now!
