Cybersecurity Risk is a Business Risk: Upcoming SEC Regulations Make Security Transparency Mandatory
Nasdaq Trade Talks: Regulations Shine a Light on the CISO
The upcoming cybersecurity regulations from the U.S. Securities and Exchange Commission (SEC) deliver a clear message: Cyber risk is a business risk. Slated to be finalized this fall, the regulations will directly link financial performance to cybersecurity through required public disclosures.
If a company is hacked, it can affect the stock price, the market capitalization, and customer trust. That is why the SEC is paying attention and has proposed these vital regulations.
NASDAQ TradeTalks interview: How organizations can successfully navigate the evolving threat and regulatory landscape
Key points that security and risk professionals at public companies must plan for:
- Focusing on the financial impact of cybersecurity: Companies will need to disclose whether their entire board, specific board members, or a committee are responsible for cybersecurity. This includes informing the board about cybersecurity risks and how frequently this topic is discussed.
- Informing investors about cyber risk management: Companies will likely be required to disclose governance methods along with risk analysis and management processes in SEC filings. While having an incident response plan is already a best practice today, this is the first time companies could be required to share those details publicly. This includes running tabletop exercises.
- Disclosing expertise on the board of directors in their 10-K and 8-K reports: Companies will be required to include board directors’ cybersecurity experiences and résumés in public disclosures. Additionally, in 2022, a new rule was passed that requires executives and board members to return bonuses if errors are found in financial disclosures.
- Reporting significant cybersecurity incidents: Entities regulated by the SEC will be required to publicly disclose individual incidents deemed “material”— or clusters of small incidents that combine to create a material incident — to the SEC within four days of determining that such a situation has occurred (a very fast disclosure timeline).
Translating technical risks into financial terms the board can understand
According to SEC Chair Gary Gensler: “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.”
In their 2023 Director’s Handbook on Cyber-Risk Oversight, the National Association of Corporate Directors (NACD) calls out the need to include cybersecurity measurement and reporting in Board cyber roles. NACD suggests that Boards receive risk assessments of cyber posture from independent organizations and specifically suggests the inclusion of “independent security ratings of the company, benchmarked against peer organizations.”
In the past, the Chief Information Security Officer (CISO) used to be a strictly technical role, but increasingly, the CISO is now a seatholder at the board level. Here is how CISOs can translate technical risks into business terms the board can understand:
- Avoid using technical jargon. Board members do not always know what web application firewalls are or Denial-of-Service (DoS) attacks are, so the CISO must translate cybersecurity issues into terms that the board understands.
- Use objective and measurable KPIs to quantify risk. For example, instead of saying, “A ransomware attack will jeopardize our data,” say, “The average cost of a data breach in 2022 was $4.35 million.”
- Convey mitigation steps in business terms. For example, “A $10,000 investment in threat intelligence capabilities can save us up to $4.35 million in two years.”
- Run tabletop exercises to educate business leadership, including C-suite and senior executives, on how cybersecurity incidents and data breaches may play out.
Organizations need a security expert on the board
Since CISOs historically report to other higher-ups within a company, such as the Chief Technology Officer (CTO), they rarely have enough influence to make drastic security-oriented changes on an organizational level.
Adding a security expert to the board helps organizations ensure that cybersecurity starts at the top. Case in point: SecurityScorecard recently appointed former U.S. National Intelligence Deputy Director and Cybersecurity Expert Susan M. Gordon to its Board of Directors.
A security expert will be able to independently review internal security controls to ensure they are in the best interest of shareholders. This expert will also ensure that cybersecurity risks and regulations are mainstays in board materials and discussions. This top-down approach to cybersecurity will help organizations meet regulatory standards and take a significant step towards cyber resilience.
Final thoughts
The proposed SEC regulations reflect a significant shift in acknowledging the importance of cybersecurity as a material business risk. They encourage companies to act with trust and transparency when it comes to cybersecurity. Effective, proactive cybersecurity matters, and now public companies will be required to talk about it publicly.
I encourage organizations to start preparing for these regulations now by discussing cybersecurity in board meetings and implementing proactive security measures.