Plan your response to the new disclosure rules - watch the webinar on demand:
What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
FAIR Institute Contributing Membership is required to view. Join now!
On the panel:
Guidance on defining materiality, the threshold for disclosing cyber incidents.
“
But material impact can be more than financial loss exposure to cyber risk.
While making policy for cybersecurity, the SEC’s mandate is to look out for what a “reasonable investor” would find material information to make an investment decision, quite a different mindset from cybersecurity.
“It’s going to be very difficult for companies to actually comply with this because there’s a very different language between security disclosure and cybersecurity,” Richard Borden said. “And I don’t believe we have the tools at the moment to really bridge that gap but that’s going to happen very quickly.”
Rules on incident reporting raise problems.
JR Williamson said “I am concerned that with this four-day (rule), once you believe that you have something material, you are going to create more shields up. Instead of sharing this information that is essential for other corporations that could be attacked by the same adversaries, now that closes down because we are worried about potential SEC violation.” In particular, he said that could degrade the effective threat intel sharing among defense companies like Leidos.
The new SEC cyber risk disclosure rules will mandate changes beyond cybersecurity and across the organization.
Companies must make yearly disclosures (Form 10-K) describing their processes for assessing and managing material cyber risks, including the board of directors’ oversight and management’s role and cyber expertise.
“It’s a forcing function,” Cody Scott said, to do a gap analysis on risk management processes – and more generally communicate across silos. JR Williamson advised CISOs to reach out to Legal and Finance. “If you don’t have a good relationship with your General Counsel, you should work on that right away. Working issues that have legal or regulatory requirements is huge.”
Richard Borden added “All this rolls up to Enterprise Risk Management and that’s where they will struggle…You have to understand your controls, not just cyber but the disclosure controls to translate and get that up to the right places…to understand how it all comes together and then is described to the public.”
Start compliance with SEC disclosure rules here…
Jack Jones concluded the session with this set of questions for CISOs to ask themselves and their organizations to begin the journey to SEC compliance:
Watch the webinar on demand:
What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
FAIR Institute Contributing Membership is required to view. Join now!