April 1, 2022
Last month, the Securities and Exchange Commission proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (The SEC has opened a comment period until May 9th, 2022 before it moves towards a final decision). The potential change is a great opportunity for CISOs to tie their security program to their business, and communicate their impact on shareholder value.
There are two main reasons why the SEC is proposing changes. The first is that cybersecurity risk has become a consistent and meaningful risk to the financial performance of companies.
The second is that there is no standard way of reporting risk to investors; leading to uneven, infrequent and inconsistent disclosures. These issues remain despite the addition of the Sarbanes-Oxley Act of 2002, the Payment Card Industry Data Security Standard and other regulatory changes.
With regards to risk management reporting, the proposal would (among other things) require companies to report on:
I see two important implications for CISOs regarding the SEC’s proposal:
CISOs will need to formalize how they report on cybersecurity risk to their CEO, board of directors and investors.
CEOs: As cybersecurity risks have increased, most security leaders have already increased the detail and frequency of reporting to their CEO and the rest of the executive team. The SEC outlines some good reasons why we can all expect this trend of reporting to CEOs to continue, with or without the new rules coming into effect. For example, the SEC notes that, “In a 2019 survey, chief executive officers of the largest 200 global companies rated ‘national and corporate cybersecurity’ as the number one threat to business growth and the international economy in the next 5 or 10 years.”
The board: The SEC proposal also looks to shine a light on the role of the board. Specifically, the SEC proposal is looking for a discussion, as applicable, of:
CISOs should also expect that the board will need to know if cybersecurity risks are material to the company’s business, and that the board will look to take more of an oversight role if that turns out to be the case. In other words, reporting to the board will not only continue but likely become more of a formal, and potentially frequent, occurrence.
Investors: Finally, the SEC points out that receiving information on a company’s cybersecurity risks is equally an important issue for investors: “recent research suggests that cybersecurity is among the most critical governance-related issues for investors, especially U.S. investors,” due to the fact that, “these direct and indirect financial costs can negatively impact stock prices, as well as short-term and long-term shareholder value.”
While most CISOs will have presented to their leadership and/or their board members, the same is not true of their experience communicating directly, or even indirectly, with investors. If the proposal goes through, CISOs will have a new constituency to report to.
The question then follows, if CEOs, the board and investors need to be regularly informed about cyber risks: how best to do that? What data and analysis is suitable to provide these stakeholders?
According to the fact sheet published along with the announcement, the SEC says that “consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.”
The problem the SEC is trying to solve is that, “the varied disclosure about both cybersecurity incidents and cybersecurity risk management, strategy, and governance makes it difficult for investors and other market participants to understand the cybersecurity risks that companies face and their preparedness for an attack, and to make comparisons across registrants [i.e. companies].”
This is where CISOs will have the most work to do. Today, many security leaders repurpose the operational metrics they use to manage their teams – the number of vulnerabilities fixed, their mean time to respond, the number of vulnerable assets, etc. – to report to their company’s leadership and board. Or, they provide a qualitative narrative about where they are in the 5-year plan they’ve put together to mature their cybersecurity posture.
Even without the SEC changes, this approach is already problematic. CEOs and other executives are often confused about what to do with this information. Security leaders also find it difficult to justify their current investments, let alone ask for funds to deploy additional tools and services.
These issues will be compounded if the SEC proposal goes through. Boards will struggle with the increasing requirement to determine if cybersecurity risk is ‘material,’ and investors will not have adequate information to price cyber risk into their financial models.
CEOs, the board and investors need to receive different information from their security leaders. The most obvious option is for CISOs to measure and report on their risk in terms of dollars.
Reporting on cyber risk in dollars comes with a myriad of benefits, not the least of which is that money is a language that all of the stakeholders affected by the SEC proposal understand. Money is in fact the primary measure that CEOs, boards of directors and investors use to make their day-to-day decisions. By moving to financial reporting from operational reporting, CISOs can drive the following business outcomes:
Unfortunately, being able to report on cyber risk in dollars is often easier than it sounds. At Balbix we’ve talked to hundreds of public and private companies who have started on the journey only to find this out for themselves. They were able to take a DIY approach only so far, or they followed a methodology that could only produce financial estimates of risk that were so broad they were not useful for decision-making.
The answer is to automate the calculation of risk, so that it is continuously updated and so identified risks can be traced back to the underlying assets and vulnerabilities for prioritization and remediation.
As the SEC itself notes, there may be unintended negative consequences of the proposed rule change: “the required disclosure could provide malicious actors information about which companies lack a board of directors with cybersecurity expertise, and which ones have weak policies and procedures related to cybersecurity risk management, and allow such malicious actors to determine their targets accordingly.”
As a result, CISOs should get ahead of the upcoming changes. They will be better positioned against potential attacks by having their processes, and the ability to report on risk in dollars, in place well before the new rules are implemented. They will also be saved from unnecessary costs due to a failed audit if they are able to provide the required information to the SEC. But perhaps most importantly, up leveling cyber risk reporting is simply the right thing to do.