April 3, 2023
Against the backdrop of the growing frequency and severity of cyber attacks against enterprises, proposed new regulations from The Securities and Exchange Commission (SEC) are set to require publicly traded companies in the U.S. to analyze how cyber risk could affect financial statements.
In March 2022, SEC Chair Gary Gensler acknowledged just how financially damaging cyber risk has become, stating that “The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars”.
The objective of the new rules are to strengthen the cyber security posture and resilience of businesses in general and the financial sector in particular.
The desire for enterprise decision makers to financially quantify cyber risk has long been strong internally, however the recent move by one of the most influential Wall St. regulators will give new impetus to invest in robust cyber risk management capabilities.
The regulations, which are expected to be finalized in April 2023 would provide investors with faster access to potential investment risks driven by cyber events. They also push enterprise decision makers to ensure they have a robust approach to monitoring and mitigating their cyber risk exposure.
It’s important to note that the SEC’s new rules only apply to publicly traded companies. Privately held companies are not subject to these disclosure requirements, but they may want to consider voluntary disclosure as a way to improve their cyber security posture.
The spotlight being shone by the SEC on the financial impact is in line with a broader market evolution that elevates and views cyber risk as a critical business risk.
The benefits of understanding and communicating cyber risk in financial terms means that in addition to meeting regulatory requirements such as those proposed by the SEC and others, executives such as the CISO, CRO, CFO, board members, and others can get the financially quantified answers they need around areas such as:
This approach is aligned with the overall intention from the SEC as is evidenced by Mr. Gensler's statement, “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” Platforms such as Kovrr’s Quantum can deliver all these powerful data-driven insights on-demand with the click of a button.
The following is an overview of the three main areas the proposed new regulations will address
Financially quantifying cyber risk in terms of dollars is an excellent way to demonstrate whether a cyber security event is material. Using our Quantum CRQ platform, organizations can do just that—evaluating the potential financial impact of a cyber attack and assessing if it is material or not.
All significant cybersecurity incidents must be reported under the new regulations. Those reports must be made within 48 hours of any significant incident. Whether those incidents happen to an advisor or registered fund, those reports must be made where there is significant disruption or degradation of the ability to either continue operations or a compromise of information where that substantially harms the advisor, fund, or their clients or investors.
There’s a lot to unpack there:
Those represent a lot of qualifiers. They also leave a lot to be desired. For example, “substantial harm” is a critical reporting threshold that is undefined. While that’s likely to be defined in litigation, risk quantification and management is critical to proactively assess potential business impacts resulting from data exfiltration events.
“Materiality” is another concept introduced under the regulations. Registered Funds and Advisors are required to describe both prospective material cybersecurity impacts and actual historical cybersecurity impacts from the past two years that constitute significant cybersecurity incidents.
Organizations will find prospective risk descriptions impossible without some form of cyber risk quantification. Kovrr automates the most complex part of prospective risk identification: quantifying and valuing risk. Kovrr measures and predicts some of the most critical impacts and prospective risks to an organization including ransomware demands, third party security risks, lost revenue and litigation costs, and more.
The SEC’s new rules are a step in the right direction for improving cybersecurity disclosure. Cybersecurity is a rapidly developing field and organizations need to take a holistic and technology led approach to manage their risks.
This includes measures such as (1) Using a CRQ platform such as the Quantum to identify and financially quantify cyber risks, (2) assess and implement cyber risk mitigation strategies, and (3) monitoring ongoing and emerging risks.
November 20, 2023
Discover the insights of cybersecurity, legal, and financial experts as they react to the SEC's groundbreaking cyber disclosure regulations
October 31, 2023
Learn how CRQ can ensure you have the funds to protect your organization against the rising global cost of cyber attacks.