Disclosing the Business, Operational, and Financial Impacts of Cyber Risk

In March 2022, the US Securities and Exchange Commission (SEC) proposed a new rule on cyber-risk management, strategy, governance, and incident disclosure. It is as multifaceted as it sounds, and it would require certain SEC registrants to report material incidents within four business days and to make a number of disclosures pertaining to cybersecurity incidents, protocols, and risk management strategies.

The proposed rule is a response to the ongoing risk cyber threats pose to public companies and their stakeholders. In January 2023, it entered the SEC’s final rule stage.

The new rule emphasizes materiality: the relationship between cyber threats and an organization’s business, financial, and operational exposures. Compliance with the rule will mean navigating a new treatment of cyber risk: expressing these risks in business terms rather than applying the technical focus, which is the current convention. Leaders will want to determine whether the people, processes, and technology underpinning their cybersecurity ecosystems today are equipped to consider cyber risk in nontechnical terms once this rule takes effect.

Cybersecurity ecosystems grew organically as organizations needed to focus on threats. Now, these ecosystems must evolve to meet new transparency and materiality requirements. Organizations will have to articulate the processes by which they determine materiality and consider how boards will determine—in four business days—which incidents require disclosure. The upside? A business perspective is a more effective basis for prioritizing potential threats and strategizing to manage risk than a technical perspective ever could be.

Summary of Requirements

A recent analysis outlined the SEC’s new requirements (which are summarized below):

• Report material cybersecurity incidents within four business days of detection and provide periodic updates on previously reported cybersecurity incidents.

• Report cybersecurity incidents that have become material in the aggregate.

• Disclose the policies and procedures by which the organization identifies and manages cybersecurity risks.

• Report the extent to which the organization engages third parties in its cyber-risk assessments, and the policies and procedures by which the organization oversees and identifies cyber risks associated with its use of third-party service providers.

• Disclose the organization’s business continuity, contingency, and recovery plans.

• Disclose how cyber risks are considered as part of the organization’s business strategy, financial planning, and capital allocation.

• Disclose the board’s oversight of cyber risk, as well as management’s role—and expertise in—assessing and managing cyber risk and implementing cybersecurity policies and procedures.

• Report both annually and with certain proxy disclosures whether any member of the board possesses cybersecurity expertise.

Cyberattacks will negatively impact stock prices, as well as short- and long-term shareholder value. Some attacks have been severe enough to put companies out of business. The SEC enumerated examples of costs and damage that can stem from material cybersecurity incidents:

• Business interruption, decreased production, delayed product launches;

• Ransom and extortion demands;

• Remediation costs related to liability for stolen data, repairing system damage, and incentivizing customers and partners to maintain relationships after an attack;

• Increased cybersecurity protection costs such as higher insurance premiums and additional cybersecurity staff and technologies;

• Lost revenue when intellectual property is stolen and used in an unauthorized way;

• Litigation and regulatory actions;

• Harm to stakeholders, violations of privacy laws, and reputational damage; and

• Erosion of the organization’s competitiveness, stock price, and long-term shareholder value.

A Shift in Perspective

With this new rule, the SEC is compelling certain registrants to consider cyber risk as business risk and to express the risk to investors in business terms. The rule benefits registrants too: boards will view cyber risk through a business lens and apply the resulting insights to mitigating risk. By keeping materiality top of mind, boards can make smarter cybersecurity investments, enacting controls and techniques to reduce risks associated with potential incidents.

Cybersecurity reporting has traditionally expressed risks as high, medium, or low, and measured effectiveness by quantifying blocked threats. New cybersecurity reporting will focus on material impacts in business, operational, and financial terms; for example, “Every day the plant is inoperative, we lose $1 billion. If a cyberattack costs us seven days’ production, we lose $7 billion.” This reporting will expose the threats that would do the most harm and describe how those threats would be suppressed. These are terms upon which boards, investors, and insurers can base decisions about risk controls and risk transfer. New cybersecurity reporting, therefore, helps determine where to direct cybersecurity investments, as well as how to optimize cybersecurity measures.

Technology changes quickly and cyber threats do, too. No control remains effective forever. That’s why controls must be as dynamic as the technologies they protect and the threats they protect against. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational, and financial considerations. With the board’s eyes kept regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.

Terry Jost is managing director of global security and privacy segment leader at Protiviti.

Chris Hetner is special advisor for cyber risk at NACD and prior senior cybersecurity advisor to the SEC chair.

Looking for better insight into your company’s cyber-risk exposures and how to improve the cybersecurity program? The X-Analytics Cyber Risk-Reporting Service, brought to you by NACD, can help.