February 22, 2023
February 22, 2023
In March 2022, the US Securities and Exchange Commission (SEC) proposed a new rule on cyber-risk management, strategy, governance, and incident disclosure. It is as multifaceted as it sounds, and it would require certain SEC registrants to report material incidents within four business days and to make a number of disclosures pertaining to cybersecurity incidents, protocols, and risk management strategies. The proposed rule is a response to the ongoing risk cyber threats pose to public companies and their stakeholders. In January 2023, it entered the SEC’s final rule stage.
The new rule emphasizes materiality: the relationship between cyber threats and an organization’s business, financial, and operational exposures. Compliance with the rule will mean navigating a new treatment of cyber risk: expressing these risks in business terms rather than applying the technical focus, which is the current convention. Leaders will want to determine whether the people, processes, and technology underpinning their cybersecurity ecosystems today are equipped to consider cyber risk in nontechnical terms once this rule takes effect.
Cybersecurity ecosystems grew organically as organizations needed to focus on threats. Now, these ecosystems must evolve to meet new transparency and materiality requirements. Organizations will have to articulate the processes by which they determine materiality and consider how boards will determine—in four business days—which incidents require disclosure. The upside? A business perspective is a more effective basis for prioritizing potential threats and strategizing to manage risk than a technical perspective ever could be.
A recent analysis outlined the SEC’s new requirements (which are summarized below):
Cyberattacks will negatively impact stock prices, as well as short- and long-term shareholder value. Some attacks have been severe enough to put companies out of business. The SEC enumerated examples of costs and damage that can stem from material cybersecurity incidents:
With this new rule, the SEC is compelling certain registrants to consider cyber risk as business risk and to express the risk to investors in business terms. The rule benefits registrants too: boards will view cyber risk through a business lens and apply the resulting insights to mitigating risk. By keeping materiality top of mind, boards can make smarter cybersecurity investments, enacting controls and techniques to reduce risks associated with potential incidents.
Cybersecurity reporting has traditionally expressed risks as high, medium, or low, and measured effectiveness by quantifying blocked threats. New cybersecurity reporting will focus on material impacts in business, operational, and financial terms; for example, “Every day the plant is inoperative, we lose $1 billion. If a cyberattack costs us seven days’ production, we lose $7 billion.” This reporting will expose the threats that would do the most harm and describe how those threats would be suppressed. These are terms upon which boards, investors, and insurers can base decisions about risk controls and risk transfer. New cybersecurity reporting, therefore, helps determine where to direct cybersecurity investments, as well as how to optimize cybersecurity measures.
Technology changes quickly and cyber threats do, too. No control remains effective forever. That’s why controls must be as dynamic as the technologies they protect and the threats they protect against. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational, and financial considerations. With the board’s eyes kept regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.
Terry Jost is managing director of global security and privacy segment leader at Protiviti.
Chris Hetner is special advisor for cyber risk at NACD and prior senior cybersecurity advisor to the SEC chair.
|Looking for better insight into your company’s cyber-risk exposures and how to improve the cybersecurity program? The X-Analytics Cyber Risk-Reporting Service, brought to you by NACD, can help.|
NACD: Tools and resources to help guide you in unpredictable times.