In last week’s SEC Solution Launch Webinar, Axio CEO Scott Kannry moderated a lively discussion with Nicole Sundin, Sam Skinner, and Joe Breen. Our internal SMEs delved into practical strategies for achieving cybersecurity compliance with the Securities and Exchange Commission (SEC). The Axio360 platform has been designed to plug and play to meet all the requirements.
You can listen to the recording here.
Below is a brief recap of the presentation with selected speaker highlights we found particularly interesting.
The need for practical cybersecurity compliance strategies
The discussion began with us emphasizing the need for practical solutions in achieving cybersecurity compliance with SEC regulations. Companies need to consider the long-term implications of vendor selection, especially in understanding the intersection of cybersecurity and accounting. You want a long-term partner, and this means your choice of solution’s product vision should be geared towards integrating future feature development with legal and compliance insights.
An SEC preparedness assessment is a starting point for accountability
Axio’s SEC preparedness assessment has emerged as a valuable tool for companies to evaluate their compliance with the new SEC ruling. This assessment provides a cost-effective starting point, allowing companies to understand their compliance maturity and adjust strategies accordingly. Accountability is a top priority of security leaders, as witnessed by the recent SolarWinds incident where the CISO has been held responsible for their security decisions. Starting with a preparedness assessment is the first step on your accountability journey.
A single source of cybersecurity truth exists
CISOs were identified as needing a reliable system of record to demonstrate compliance with SEC regulations and protect against liability. Axio360 was designed as a single place to manage your cybersecurity risks and improvements.
A few years ago, I willingly volunteered for a deposition related to a dispute over coverage during my time in the insurance brokerage world. This experience highlighted the importance of being able to interpret past decisions and actions. Now, particularly evident in the cybersecurity space, events today can be traced back to decisions made years ago, such as the installation of a protective device or a patch. Drawing parallels with other areas of law and disputes, it becomes crucial to explain past decisions quickly and effectively. Having readily available information from the system or the scope of data allows for a swift and rational explanation of trade-offs and choices. This ability can significantly impact outcomes in the cybersecurity realm, differentiating between favorable and challenging results, as you may have observed firsthand.
Cybersecurity regulations and their impact on organizations
The importance of a consistent and defensible approach to risk management across various organizational areas, including legal and regulatory compliance, was emphasized. Elevating the conversation about cybersecurity among boards of directors was advised, particularly considering their responsibility for organizational governance.
It’s common to attribute blame to the security officer, and the new regulations have unfortunately increased the pressure from both the board and stakeholders. However, our message to CISOs is about establishing a collaborative relationship. By bringing us on board, we can help ensure that you have a systematic process in place to make informed decisions aligning with your role. Whether it fits your specific needs or not is entirely your decision on resource allocation. In the unfortunate event of a security breach, CISOs can confidently assert that they have a third-party system in place, demonstrating a commitment to taking cyber risks seriously. This aligns with the organization’s intent to address cybersecurity seriously, like the approach taken by the SEC and regulators.
We suggested a shift from traditional “red, yellow, green” frameworks for reporting cybersecurity incidents to focusing on the business impact of events. Axio offers a cybersecurity reporting solution that utilizes cyber risk quantification and creates a cybersecurity subcommittee to facilitate digestible and actionable communication with the board.
There exists a significant cybersecurity literacy gap between board members and cybersecurity leaders. Reporting to the board may be a new or ongoing activity, and we’re observing an increasing trend in organizations. To address this, we recommend reframing board reporting using three mechanisms. Firstly, shift focus from red, yellow, and green reporting to emphasizing business impact, expressing potential costs in a language understandable to all board members. This breakthrough in cybersecurity literacy is achieved through cyber risk quantification, a process that can be quickly implemented. Our designed reports ensure clarity for the board. Secondly, suggest the establishment of a cybersecurity subcommittee, leveraging subject matter expertise from former CISOs to enhance decision-making. This approach has been successful across various Fortune companies. Lastly, automate the reporting process using a tool like ours, saving valuable time for CISOs and cyber leaders. Our product offers out-of-the-box automated reporting with a user-friendly design, recognizing the need for efficiency in managing a CISO’s responsibilities.
Materiality in decision-making and risk assessment
Axio’s role in helping companies make confident decisions through education on materiality and incident response planning was highlighted. Our CRQ tool and unique process were introduced as tools to run scenarios ahead of time, saving time and effort during incident response.
The key to enhancing confidence and facilitating decisive decisions around materiality involves two main aspects. First, education is crucial, encompassing an understanding of the definition of materiality, rooted in the SEC’s 90-year-old definition focused on investor protection. Secondly, preparedness and planning play a significant role, with Axio providing valuable assistance in saving time and ensuring a confident decision-making process. This planning involves two components: cyber risk quantification, assessing the financial impacts of different scenarios, and incorporating this into the incident response plan. The CRQ process allows for a clear understanding of qualitative and quantitative factors ahead of time, reducing confusion during an incident. The incorporation of insurance considerations is also included, acknowledging its impact on the overall assessment. I’ll now pass the discussion to Scott to delve further into the role of insurance in this context.
Insurance and materiality in cybersecurity
The discussion moved to the role of insurance in cybersecurity, providing a potential “get out of jail free card” for companies facing financial losses. Insurance deductibles and retentions were noted to be set based on company-specific materiality determinations, informing cybersecurity event materiality.
Two perspectives highlight the relevance of insurance in discussions. Firstly, it’s not a guaranteed “get out of jail free” card, but akin to MGM, companies may recover proceeds through insurance, impacting materiality determination. The ability to confidently assess coverage and potential reimbursement from the onset influences the materiality calculus. While insurers don’t always provide a definite guarantee, having a confident perspective based on coverage and claims history is valuable. Secondly, in large organizations, insurance deductibles align with materiality thresholds, influencing discussions on cyber insurance program retention. This approach, borrowed from other risk areas, offers informative insights into materiality for cybersecurity events. A reasonably informed materiality determination, even if later proven wrong, provides defensibility when explaining decisions during hindsight analysis. It underscores the significance of having a documented perspective to reference when circumstances change.
Materiality thresholds and risk tolerance in financial reporting
Axio’s ability to assist in making materiality calls during events, along with quick and low-cost solutions, was discussed next.
Consider the financial impact of a bad event by assessing the amount your organization can withstand without significant disruption. If the loss is manageable, and the CFO deems it won’t affect day-to-day operations, it falls below the materiality threshold. However, if the financial pain surpasses the threshold, impacting earnings per share, meeting board expectations, or leading to stock market repercussions, it enters materiality territory. The CFO plays a crucial role in gauging the pain threshold, making them a key decision-maker in materiality assessments. Ultimately, compare the event’s cost to the pain threshold to determine its materiality. This provides a straightforward rule of thumb for evaluation.
Cybersecurity risk management and reporting for Board Members
The importance of cybersecurity quantification catalogs and simplified reporting processes was discussed, emphasizing Axio’s ability to help security leaders generate easy-to-understand reporting in a short timeframe, emphasizing a “now” solution for those needing to prepare for their board meetings.
Check out the full webinar broadcast here.
Want to stay up to date on everything happening at Axio? Sign up for our newsletter below.