The Securities and Exchange Commission (SEC) recently released new guidance on cyberrisk reporting that states public companies should “take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.” While these guidelines are a good first step, they may not be sufficient to address the problem escalating across all industries.
Cyberrisks present huge financial impacts for companies, investors and employees. Enforcing accountability by requiring disclosure of all risks that a company believes are material is an important first step in helping companies address their risk. Verizon’s purchase of Yahoo in June 2017 is a prime example of the risks involved when these disclosures are not made. When Yahoo’s data breach (which they did not declare as “material”) came to light, Verizon immediately slashed $350 million from the acquisition price.
The SEC’s mission is to protect investors through oversight, rules and coordination with federal, state and foreign authorities. Given that cybersecurity contributes to an overwhelming number of risks facing companies today, it should certainly be included in such protection. Nevertheless, the guidelines are still missing some key elements.
One notable provision is the requirement for “periodic” disclosures of cyberrisks, further specified as annual and quarterly updates. Unfortunately, these periodic reports do not encourage companies to adopt routine oversight consistent with the dynamic nature of the cyber landscape, which changes daily. To achieve its intent, the SEC should instead call for continuous risk monitoring, providing investors with up-to-date understanding and assurance about developing and latent risks.
What Companies Can Do Now
Companies struggle with understanding what constitutes a “material cybersecurity risk.” Many organizations measure risk using qualitative, subjective scales (high, medium, low or red, yellow, green) based on business drivers, while others prioritize risk based on technical information around vulnerabilities. The SEC’s guidance that companies must evaluate “the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks” is intended to shift the way companies think about and approach material cyberrisks.
Most organizations approach cyberrisk starting with threats and/or vulnerabilities, yet not all threats and vulnerabilities present “material” risks. Instead, companies should start their cyberrisk program from the top-down, identifying their key business processes first. Look to the business continuity or resilience plan already in place to find the necessary information. Then, trace the business processes to the IT systems that support them. Many organizations today use an information technology infrastructure library (ITIL) framework to map a business process to an IT system. For example, every company has a treasury function that manages cash through established processes supported and fulfilled by IT. These IT services range from large software packages like SAP and Oracle Financials to QuickBooks used by small- and medium-sized businesses. Finally, companies should pull together the computers or endpoints that make up those IT systems and services.
Working through these steps presents an organization with a clear view of the lineage of a cyberrisk from the business process to the IT system to the endpoint at risk. This transparent, top-down approach ensures that the cyberrisks identified are the ones that in fact have a material impact on the business.
When it comes to cyberrisk, there are two certainties: First, cyberattacks are inevitable and can cause severe financial damage for companies. Second, in the future, as organizations better understand the business impacts of attacks, cybersecurity risks will be treated on par with other traditional risks. The importance of reporting these risks from the top-down will only grow, especially in the wake of high-profile breaches.
Rather than regarding the SEC’s guidance as a burden, companies should view this as an opportunity to understand which risks are most consequential to the business and, in turn, get ahead of those risks. For today’s businesses, getting ahead of cyberrisks can mean the difference between success and failure.