New regulation from the SEC to require companies to report how cyber risk could affect them financially

Against the backdrop of the growing frequency and severity of cyber attacks against enterprises, proposed new regulations from The Securities and Exchange Commission (SEC) are set to require publicly traded companies in the U.S. to analyze how cyber risk could affect financial statements.

‍

Financial losses from cyberattacks are growing

In March 2022,  SEC Chair Gary Gensler acknowledged just how financially damaging cyber risk has become, stating that “The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars”.

The objective of the new rules are to strengthen the cyber security posture and resilience of businesses in general and the financial sector in particular.

The desire for enterprise decision makers to financially quantify cyber risk has long been strong internally, however the recent move by one of the most influential Wall St. regulators will give new impetus to invest in robust cyber risk management capabilities.

Learn more about how the Quantum Platform - Financially Quantify Enterprise Cyber Risk

‍

The Importance of financially quantifying cyber risk

The regulations, which are expected to be finalized in April 2023 would provide investors with faster access to potential investment risks driven by cyber events. They also push enterprise decision makers to ensure they have a robust approach to monitoring and mitigating their cyber risk exposure.

It’s important to note that the SEC’s new rules only apply to publicly traded companies. Privately held companies are not subject to these disclosure requirements, but they may want to consider voluntary disclosure as a way to improve their cyber security posture.

The spotlight being shone by the SEC on the financial impact is in line with a broader market evolution that elevates and views cyber risk as a critical business risk.

The benefits of understanding and communicating cyber risk in financial terms means that in addition to meeting regulatory requirements such as those proposed by the SEC and others, executives such as the CISO, CRO, CFO, board members, and others can get the financially quantified answers they need around areas such as:

1. Justifying Cybersecurity Investments - Prioritize and justify cybersecurity investments that maximize risk reduction.
2. Optimizing Cyber Insurance and Risk Transfer Placements - Identifying gaps between risk mitigation options and cyber insurance spending to maximize your risk management decisions and strengthen business resilience.
3. ‍Measuring ROI of Cyber Security Programs- Assessing the ROI of your cybersecurity program and stress test it based on potential risk mitigation actions, thereby supporting better resource allocation.

This approach is aligned with the overall intention from the SEC as is evidenced by Mr. Gensler's statement, “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” Platforms such as  Kovrr’s Quantum  can deliver all these powerful data-driven insights on-demand with the click of a button.

‍

‍

Overview of the proposed regulations

The following is an overview of the three main areas the proposed new regulations will address

1. Reporting Cyber Security Incidents: Companies will be required to document and report the regulator if they suffer a material cybersecurity incident within 4 days of the event. They will also be required to periodically report the status of any cybersecurity incident that was previously reported.

2. Cyber Mitigation Strategies: In addition to reporting when they have experienced a cybersecurity incident they will also be required to state which strategies they used to mitigate it.

3. Disclosing Cybersecurity Expertise: The proposal will require annual reporting or certain proxy disclosure about the level of cybersecurity expertise represented on the board of directors.  It will also seek to document what oversight the Board has on cyber security risk and state the management’s role and expertise is in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

Financially quantifying cyber risk in terms of dollars is an excellent way to demonstrate whether a cyber security event is material. Using our Quantum CRQ platform, organizations can do just that—evaluating the potential financial impact of a cyber attack and assessing if it is material or not.

‍

Significance and Materiality

All significant cybersecurity incidents must be reported under the new regulations. Those reports must be made within 48 hours of any significant incident. Whether those incidents happen to an advisor or registered fund, those reports must be made where there is significant disruption or degradation of the ability to either continue operations or a compromise of information where that substantially harms the advisor, fund, or their clients or investors.

There’s a lot to unpack there:

1. Advisor or Registered Fund - as highlighted above, only certain entities involved in the exchange and management of securities are covered.
2. Significant disruptions or degradation [of services] - there must be a real and not speculative impact to services provided.
3. Continued operations - the advisor or registered fund must have a significant impairment of operations.
4. Compromise of Information with Substantial Harm - alternatively, the advisor or registered fund may continue operations but have a data exfiltration event that has an adverse impact to the organization, its clients, or downstream investors.

Those represent a lot of qualifiers. They also leave a lot to be desired. For example, “substantial harm” is a critical reporting threshold that is undefined. While that’s likely to be defined in litigation, risk quantification and management is critical to proactively assess potential business impacts resulting from data exfiltration events.

“Materiality” is another concept introduced under the regulations. Registered Funds and Advisors are required to describe both prospective material cybersecurity impacts and actual historical cybersecurity impacts from the past two years that constitute significant cybersecurity incidents.

Organizations will find prospective risk descriptions impossible without some form of cyber risk quantification. Kovrr automates the most complex part of prospective risk identification: quantifying and valuing risk. Kovrr measures and predicts some of the most critical impacts and prospective risks to an organization including ransomware demands, third party security risks, lost revenue and litigation costs, and more.

‍

Financially quantify, mitigate, and manage

The SEC’s new rules are a step in the right direction for improving cybersecurity disclosure. Cybersecurity is a rapidly developing field and organizations need to take a holistic and technology led approach to manage their risks.

This includes measures such as (1) Using a CRQ platform such as the Quantum to identify and financially quantify cyber risks, (2) assess and implement cyber risk mitigation strategies, and (3) monitoring ongoing and emerging risks.

To learn more about how Kovrr can help your organization comply with these new regulatory requirements, Book a demo with our experts.

‍

‍

‍