The US Securities and Exchange Commission (SEC) has proposed new regulations that would require public companies to disclose “material cybersecurity incidents” within four business days. The goal of these amendments, the Commission stated, is to “enhance and standardize” cybersecurity incident reporting, risk management, and governance.
The full proposal, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” is available on the SEC’s website. It comes on the heels of several high-profile data breaches, like the costly and disruptive Colonial Pipeline incident, and growing concern around Russian retaliation to US sanctions has added to its relevance. In addition to “material incident” reporting requirements, it would also require subjected companies to report the details of their cyber risk assessment and management programs, business continuity and recovery plans, and more. These businesses will be on the hook to report whether they include cybersecurity risk in their business strategies and financial planning. Should it pass, the amendment will give shareholders a better view of the potential impact of cybersecurity events on their investments.
To fulfill these requirements, companies will need a streamlined and reliable way to translate their security posture into financial terms. Enter: Cyber Risk Quantification (CRQ). Translating cyber risk scenarios into something quantifiable is a challenge because risk is not concrete. And for CISOs, it’s not sustainable or savvy to rely on alarmist scare tactics to steer decision-making in the boardroom. CRQ bridges the gap between technical and business-speak, informing decision-makers on what kind of impact various risk scenarios could have. Risk quantification keeps non-technical business leaders engaged and continually informed about where to direct funds for maximum effect.
Some members of the SEC Commission have expressed disapproval of the amendment. Republican Commissioner Hester M. Peirce submitted a dissenting opinion, saying the proposal supersedes the SEC’s mission. “The Commission regulates companies’ disclosures; it does not regulate public companies’ activities. This proposal flirts with casting us as the Nation’s Cybersecurity Command Center – a role Congress didn’t give us,” she stated.
The official mission of the SEC is “to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation,” and those who back the latest proposal understand the degree to which cybersecurity is intertwined with this mission. SEC Chair Gary Gensler expressed his support of the amendment because, in short, it will require companies to take cybersecurity measures that they should be doing already.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
While the SEC’s proposal does not explicitly reference CRQ, companies won’t be able to successfully meet requirements without it. In the past, many business leaders have pushed back on implementing CRQ because they don’t see the immediate ROI. However, after walking through an assessment using the Axio360 platform, the ROI of the assessment process becomes undeniable, and some business leaders who aren’t already leveraging CRQ tools like Axio360 might be surprised by what they find. Any decision-makers who are unhappy with the proposed new amendments don’t understand their risk environment. And if you don’t understand your risk environment, you’re in danger.
Axio can help
Shareholders rely on the Board to protect their investments, and a board member’s highest duty is to focus on financial performance and risk management to safeguard the sustainability of the business. If you’re a CISO or other cybersecurity professional, Axio360 can help you demonstrate the ROI that CRQ can provide for your business. It leverages CRQ by teasing out the most impactful risk scenarios specific to your company and drives cybersecurity spending to areas of highest importance while validating risk acceptance in less vital areas. With this information, it generates a report designed specifically for Board members to make strategic decisions.
To learn exactly how to help curate a more effective Board of Directors, you can check out our free and newly updated guide here, where we break down the proposed SEC amendments in greater detail and demonstrate a 1:1 mapping between the SEC’s new requirements and Axio’s reporting capabilities. We also spell out how Axio’s platform helps unravel risks “in plain English,” for senior officers to make the right decisions regarding cybersecurity policies and procedures, helping to secure the broader financial ecosystem.
The newly proposed SEC reporting rules would call for companies to disclose cybersecurity risks and incidents. That all but requires publicly traded companies to implement a CRQ program to fulfill those requirements. They must be able to outline the process by which the Board is informed about cybersecurity risks and the frequency of its discussions on this topic. Further, they must be able to demonstrate whether and how the Board or Board Committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. At Axio, this is our specialty. Sign up for a demo today to see how we can help you meet the demands of an evolving regulatory landscape.
Originally published March 23, 2022, updated May 16, 2022.