The Securities and Exchange Commission’s new guidance on cybersecurity risk disclosure landed with a thud in board rooms, C-suites and infosecurity shops, particularly for its requirements on reporting ongoing cyber risks --in other words potential cyber incidents – that could materially impact the company – in other words, in financial terms.
“That’s entirely new and most organizations are going to look at each other across the table and say, ‘how are we going to do that?’” says Jack Jones, creator of the FAIR model.
In this one hour webinar now available for on-demand viewing, Jack has some answers (hint: FAIR was built for estimating potential cyber risk in financial terms), some actionable tips and some fresh insights into the SEC’s sometimes contradictory guidance.
Some of Jack’s key points:
- All publicly traded companies have some exposure to material, cyber related risk – because all companies regardless of business type are now holding data, running applications, protecting IP, and otherwise operating in a large digital footprint.
- The effect on share prices from data breaches and other attacks on public companies has been limited (with a couple big exceptions: Yahoo! and Equifax). But that may change.
- If organizations don’t take a disciplined view of their threat landscape and controls, they may under report on risk, leading to negligence charges, or over report, leading to unwarranted reputation damage.
Jack discusses how to use FAIR methods, and some existing standards for materiality from the financial world, to meet stricter SEC guidelines on both cyber incident reporting and ongoing risk disclosure.
Listen at the end, in the questions period, to the discussion on the material damage to Facebook from revelations about unauthorized use of its data. Jack's comment: "It's often less about what happened than how the company deals with what happened."