Cyber Risk Quantification for SEC’s Cyber Regulations

The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives organizations approximately five months to confirm compliance plans before the new disclosure requirements take effect in mid-December. 

In brief, the disclosure requirements can be broken into 3 Pillars:

Cyber incident reporting

• Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.
• Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available.
• Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors

Cyber risk management and strategy

• Describe the company’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including:
  • whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third-parties.
  • whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant’s business strategy, results of operations, or financial condition.

Cyber governance

Describe the company’s governance of cybersecurity risks as it relates to:

• The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks.
• Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies.
• Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.

Cyber Risk Quantification will help fulfill SEC cyber disclosure requirements

In addition to “material incident” reporting requirements, the ruling requires subjected companies to report the details of their cyber risk assessment and management programs, business continuity and recovery plans, and more. These businesses will be on the hook to report whether they include cybersecurity risk in their business strategies and financial planning. Should it pass, the amendment will give shareholders a better view of the potential impact of cybersecurity events on their investments.  

To fulfill these requirements, companies will need a streamlined and reliable way to translate their security posture into financial terms. Enter: Cyber Risk Quantification (CRQ). Translating cyber risk scenarios into something quantifiable is a challenge because risk is not concrete. And for CISOs, it’s not sustainable or savvy to rely on alarmist scare tactics to steer decision-making in the boardroom. CRQ bridges the gap between technical and business-speak, informing decision-makers on what kind of impact various risk scenarios could have. Risk quantification keeps non-technical business leaders engaged and continually informed about where to direct funds for maximum effect. 

To fulfill these requirements, companies will need a streamlined and reliable way to translate their security posture into financial terms.

Before the ruling came into effect, members of the SEC Commission have expressed disapproval of the amendment. Republican Commissioner Hester M. Peirce submitted a dissenting opinion, saying the proposal supersedes the SEC’s mission. “The Commission regulates companies’ disclosures; it does not regulate public companies’ activities. This proposal flirts with casting us as the Nation’s Cybersecurity Command Center – a role Congress didn’t give us,” she stated. 

The official mission of the SEC is “to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation,” and those who back the latest proposal understand the degree to which cybersecurity is intertwined with this mission. SEC Chair Gary Gensler expressed his support of the amendment because, in short, it will require companies to take cybersecurity measures that they should be doing already. 

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” 

While the SEC’s ruling does not explicitly reference CRQ, companies won’t be able to successfully meet requirements without it. In the past, many business leaders have pushed back on implementing CRQ because they don’t see the immediate ROI. However, after walking through an assessment using the Axio360 platform, the ROI of the assessment process becomes undeniable, and some business leaders who aren’t already leveraging CRQ tools like Axio360 might be surprised by what they find. 

While the SEC’s ruling does not explicitly reference CRQ, companies won’t be able to successfully meet requirements without it.

Axio can help

Shareholders rely on the Board to protect their investments, and a board member’s highest duty is to focus on financial performance and risk management to safeguard the sustainability of the business. If you’re a CISO or other cybersecurity professional, Axio360 can help you demonstrate the ROI that CRQ can provide for your business. It leverages CRQ by teasing out the most impactful risk scenarios specific to your company and drives cybersecurity spending to areas of highest importance while validating risk acceptance in less vital areas. With this information, it generates a report designed specifically for Board members to make strategic decisions.

To learn exactly how to help curate a more effective Board of Directors, you can check out our free and newly updated guide here, where we break down the proposed SEC amendments in greater detail and demonstrate a 1:1 mapping between the SEC’s new requirements and Axio’s reporting capabilities. We also spell out how Axio’s platform helps unravel risks “in plain English,” for senior officers to make the right decisions regarding cybersecurity policies and procedures, helping to secure the broader financial ecosystem.

Summary

The newly issued SEC reporting rules would call for companies to disclose cybersecurity risks and incidents. That all but requires publicly traded companies to implement a CRQ program to fulfill those requirements. They must be able to outline the process by which the Board is informed about cybersecurity risks and the frequency of its discussions on this topic. Further, they must be able to demonstrate whether and how the Board or Board Committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. At Axio, this is our specialty. Sign up for a demo today to see how we can help you meet the demands of an evolving regulatory landscape.

Originally published March 23, 2022, updated August 24, 2023.