The recent closure by Toyota of all of its Japanese factories was merely the most recent example of how paralyzing and damaging a cyber attack can be.
Against the backdrop of the growing frequency and severity of cyber attacks against enterprises; proposed new regulations from The Securities and Exchange Commission (SEC) are set to require publicly traded companies in the U.S. to analyze how cyber risk could affect financial statements.
A recent speech by SEC Chair Gary Gensler acknowledged just how financially damaging cyber risk has become, stating that “The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars”.
The objective of the new rules are to strengthen the cyber security posture and resilience of businesses in general and the financial sector in particular.
The desire for enterprise decision makers to financially quantify cyber risk has long been strong internally, however the recent move by one of the most influential Wall St. regulators will give new impetus to invest in robust cyber risk management capabilities.
The regulations, which are still still open to public comment, would enable investors to have a faster way to identify and assess potential investment risks, They also push enterprise decision makers to ensure they have a robust approach to monitoring and mitigating their cyber risk exposure.
It’s important to note that the SEC’s new rules only apply to public companies. Private companies are not subject to these disclosure requirements, but they may want to consider voluntary disclosure as a way to improve their cyber security posture.
The spotlight being shone by the SEC on the financial impact is in line with a broader market evolution that elevates and views cyber risk as a critical business risk.
The benefits of understanding and communicating cyber risk in financial terms means that in addition to meeting regulatory requirements such as those proposed by the SEC and others, executives such as the CISO, CRO, CFO, board members and others can get the financially quantified answers they need around areas such as:
This approach is aligned with the overall intention from the SEC as is evidenced by Mr. Gensler's statement “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” Platforms such as Kovrr’s Quantum can deliver all these powerful data-driven insights on-demand with the click of a button.
Overview of the proposed regulations
The following is an overview of the three main areas the proposed new regulations will address
Financially quantifying cyber risk in terms of dollars is an excellent way to demonstrate whether a cyber security event is material. Using our Quantum CRQ platform, organizations can do just that—evaluating the potential financial impact of a cyber attack and assessing if it is material or not.
The SEC’s new rules are a step in the right direction for improving cybersecurity disclosure, however cybersecurity is a rapidly developing field, and organizations need to take a holistic and technology led approach to manage their risks.
This includes measures such as (1) Using a CRQ platform such as the Quantum to identify and financially quantify cyber risks, (2) assess and implement cyber risk mitigation strategies, and (3) monitoring ongoing and emerging risks.