August 3, 2023
It all started with a statement from the US Securities and Exchange Commission’s (SEC) Jaime Lizárraga. The commissioner revealed that a staggering 83% of companies suffered from multiple data breaches last year, with an average expense of $9.44 million in the United States— a dramatic increase of 600% over the past ten years.
These drastic figures, although not surprising given the mass shift to an online economy during the Covid-19 outbreak, motivated the SEC and other prominent figures to take action. Finally, a vote was called to finalize regulations concerning cybersecurity best practices, and it was passed three to two.
Here’s how we got here and what it means for you.
The SEC's worries regarding the disclosure of cybersecurity information are not novel; in 2018, they issued comprehensive guidance on the matter, and you can find Kovrr's VP Strategic Initiatives, Tom Boltman, thoughts on the subject here.
The new rules, passed Wednesday, July 26, require publicly traded US companies and foreign private issuers to report "material cybersecurity incidents" within four days of positively identifying an event. These companies are also mandated to make annual disclosures describing their ongoing cybersecurity governance and the impacts of previous incidents.
The new changes will go into effect later this year and ultimately are expected to promote more robust cybersecurity risk management practices among corporations by increasing accountability and protecting investors better by ensuring they’re aware of risks exposure.
According to the Commission, the cost to companies and their investors of cybersecurity incidents is rising and at an increasing rate. A 2023 IMB report indicates that the financial impact of data breaches on organizations has increased by 15 percent in the past three years to an average of $4.5 million.
Wednesday’s decision finalizes a proposal for new regulations announced earlier this year. It builds on cyber security guidance issued in 2011 and 2018 and seeks to make reporting more “consistent, comparable, and decision-useful.”
SEC Chair Gary Gensler stated that while many companies already have disclosures on their cybersecurity infrastructure, these new rules will benefit corporations and investors in their decisions by making the practice more consistent and comparable.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler said. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
This regulation update is an excellent opportunity for cybersecurity leaders to solidify their position. By forging more robust bonds with the C-suite and Board of Directors, utilizing performance metrics to show the success of their programs, and giving regular, quantifiable updates to those involved, they can do just that.
Once an incident is identified as “material,” SEC registrants will be required to report any cybersecurity event within four days. They will also be required to describe the nature of the event, timing, and impact or expected impact.
Quantifying cyber risk in monetary terms will be a critical aspect of communicating whether a cyber security incident is, indeed, “material.” Cybersecurity teams can thus ensure that “material” risks are handled appropriately and financial exposure is accurately assessed.
Constructing a strong cyber risk management program that includes quantification gives confidence to both internal and external stakeholders. CISOs may even use the fresh regulations to their benefit, making a case for a bigger budget and more resources by providing regular data on performance and cyber risk assessments.
The fact sheet published by the SEC is a great place to understand the precise rules regarding cybersecurity disclosures.
Primarily, the new regulations implement both incident reporting and periodic disclosure. In a new focus placed on incident reporting, companies must now disclose any material cybersecurity incident, describing its nature, scope, timing, and impact on financial condition and operations.
Again, organizations will benefit from using technology to deliver these insights on demand and comply with these new regulatory requirements.
These scheduled reports will also require enterprises to detail their cyber defense strategies, if any, for reviewing, identifying, and managing cybersecurity threats and the role their board of directors plays in helping to mitigate them. Organizations will also have to provide updated information on the impacts of any previous incident.
Organizations that do not use any form of CRQ might initially find these new obligations overwhelming. However, by adopting a platform that translates the level of risk into a financial language stakeholders can understand, organizations can quickly adhere to the SEC ruling.
With a proper cybersecurity quantification platform, companies can easily:
Added regulations are often seen as a burden. But in this case, it enables cybersecurity teams to demonstrate how they can contribute to the company's success. The CRQ software approach encourages measurably reducing risk, straightforward communication, and thorough organizational knowledge.
If you would like to find out more regarding how Kovrr can assist your business to conform to the new regulatory requirements, book a demo with our team.
September 5, 2023
Part two delves into the transformative potential of converting cyber risks from financial insights to actionable plans
August 14, 2023
Avoid the number one mistake enterprises make when negotiating a cyber insurance policy. It’s time to leverage cyber risk quantification.