Risk Management
  • Home
  • Features
  • Columns
    • ForeFront
    • Last Word
    • Findings
    • Q&A
    • Time Line
    • Risk Atlas
    • Fine Print
  • Topics
    • Insurance
    • Enterprise Risk Management
    • Strategic Risk Management
    • Natural Catastrophes
    • Cyber Risk
    • Pandemics
    • Emerging Risks
    • International
  • Blog
  • Digital Issue
  • Subscribe
  • RIMS.org
  • Home
  • 2018
  • June
  • 1
  • Understanding the SEC’s New Cyberrisk Guidance

Understanding the SEC’s New Cyberrisk Guidance

Jerry Caponera
June 1, 2018May 24, 2018 No Comments
SEC cyber risk reporting Cyberrisk Assessment

SEC cyber risk reporting

The Securities and Exchange Commission (SEC) recently released new guidance on cyberrisk reporting that states public companies should “take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.” While these guidelines are a good first step, they may not be sufficient to address the problem escalating across all industries.

Cyberrisks present huge financial impacts for companies, investors and employees. Enforcing accountability by requiring disclosure of all risks that a company believes are material is an important first step in helping companies address their risk. Verizon’s purchase of Yahoo in June 2017 is a prime example of the risks involved when these disclosures are not made. When Yahoo’s data breach (which they did not declare as “material”) came to light, Verizon immediately slashed $350 million from the acquisition price.

The SEC’s mission is to protect investors through oversight, rules and coordination with federal, state and foreign authorities. Given that cybersecurity contributes to an overwhelming number of risks facing companies today, it should certainly be included in such protection. Nevertheless, the guidelines are still missing some key elements.

One notable provision is the requirement for “periodic” disclosures of cyberrisks, further specified as annual and quarterly updates. Unfortunately, these periodic reports do not encourage companies to adopt routine oversight consistent with the dynamic nature of the cyber landscape, which changes daily. To achieve its intent, the SEC should instead call for continuous risk monitoring, providing investors with up-to-date understanding and assurance about developing and latent risks.

What Companies Can Do Now

Companies struggle with understanding what constitutes a “material cybersecurity risk.” Many organizations measure risk using qualitative, subjective scales (high, medium, low or red, yellow, green) based on business drivers, while others prioritize risk based on technical information around vulnerabilities. The SEC’s guidance that companies must evaluate “the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks” is intended to shift the way companies think about and approach material cyberrisks.

Most organizations approach cyberrisk starting with threats and/or vulnerabilities, yet not all threats and vulnerabilities present “material” risks. Instead, companies should start their cyberrisk program from the top-down, identifying their key business processes first. Look to the business continuity or resilience plan already in place to find the necessary information. Then, trace the business processes to the IT systems that support them. Many organizations today use an information technology infrastructure library (ITIL) framework to map a business process to an IT system. For example, every company has a treasury function that manages cash through established processes supported and fulfilled by IT. These IT services range from large software packages like SAP and Oracle Financials to QuickBooks used by small- and medium-sized businesses. Finally, companies should pull together the computers or endpoints that make up those IT systems and services.

Working through these steps presents an organization with a clear view of the lineage of a cyberrisk from the business process to the IT system to the endpoint at risk. This transparent, top-down approach ensures that the cyberrisks identified are the ones that in fact have a material impact on the business.

Next Steps

When it comes to cyberrisk, there are two certainties: First, cyberattacks are inevitable and can cause severe financial damage for companies. Second, in the future, as organizations better understand the business impacts of attacks, cybersecurity risks will be treated on par with other traditional risks. The importance of reporting these risks from the top-down will only grow, especially in the wake of high-profile breaches.

Rather than regarding the SEC’s guidance as a burden, companies should view this as an opportunity to understand which risks are most consequential to the business and, in turn, get ahead of those risks. For today’s businesses, getting ahead of cyberrisks can mean the difference between success and failure.

Post navigation

Fixing the Problems with Passwords
Making Employees More Cyber-Aware

Related Articles

Strategic Risk Management

Recognizing Strategic Risks and the Role of the CRO

Donna Galer and Al Decker
March 8, 2021March 2, 2021 No Comments
Diversity and Inclusion

D&I Meets D&O

Claire-Marie Coste-Lepoutre
March 1, 2021February 23, 2021 No Comments
Feat-Brexit Brexit

Brexit Becomes Reality

Neil Hodge
March 1, 2021February 22, 2021 No Comments

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

eleven − 8 =

Current Issue

Don’t Miss Out

With many continuing to work remotely, keep in mind that you can always update your mailing address by clicking here to ensure future issues of Risk Management are sent directly to you.

RSS Risk Management Monitor blog

  • Texas Cold Crisis: Insurance Options for Severe Weather Disruption March 3, 2021
  • Preparing for the Next Stage of the COVID-19 Pandemic at RIMS Content Roundtable March 1, 2021
  • Human Trafficking and Supply Chains: Q&A with Tim Nelson of the Slave-Free Alliance February 12, 2021
  • How to Prepare Now for Your Next Crisis Post-COVID February 3, 2021
  • Strengthening Diversity, Equity and Inclusion Efforts February 1, 2021
Copyright 2020. All rights reserved | Theme: OMag by LilyTurf Themes
  • About
  • Subscribe
  • Advertise
  • Contribute
  • Editorial Calendar
  • Contact
  • Privacy