Are you ready to report on your cyber risk?

Cyber security threats aren’t going away. 

If anything, as we evolve our use of technology through continued digitisation, they’ll grow. 

Acknowledging this escalating risk to public companies and investors, the U.S. Securities and Exchange Commission (SEC) has proposed a new set of Cybersecurity rules aimed at Public Companies that aim to bolster cybersecurity risk management, strategy, governance, and incident disclosure reporting.  

These rules are intended to provide more consistent, comparable and decision-useful information so that investors can better evaluate a company’s exposure to cybersecurity risks and incidents; and develop strategies to mitigate those risks and incidents.  

Once the rules take effect, publicly listed companies will be required to

• Provide clarity in current reporting relating to material cybersecurity incidents. 
• Conduct periodic reporting on previously reported cybersecurity incidents.  
• Undertake periodic reporting about policies and procedures to identify and manage cybersecurity risks. 
• Provide information around the board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk, policies and procedures implementation.  
• Report annually about the board of directors’ cybersecurity expertise. 

This ruling is expected to be finalised imminently, which means that now is a good time to get prepared. It’s time to ensure your company can communicate cyber risk with your stakeholders in an effective way that also aligns with the SECs proposed requirements.  

One way to approach this is by using ‘Cyber risk quantification’ as it provides a quantitative view of your company’s cyber risk exposure. Going one step further, an effective cyber risk quantification program should help you achieve the following objectives and answer the following key questions: 

Express risk quantitatively: What’s our risk exposure in financial terms to a cyber-attack, and how does this compare against our risk appetite?  

Prioritise Investments: What cyber capabilities should we prioritise investment in to optimise our protection against the threats we face? 

Demonstrate cost benefit analysis: If we invest £XM in cyber next year, what benefit, in terms of reduced cyber related losses, will this deliver to the business? 

Optimise cyber insurance: Do we have appropriate cyber insurance coverage given the threats we face? 

Optimise capital investments: Do we have proportionate capital reserves in the event we suffer a widespread cyber incident? 

The SECs proposed ruling on cyber risk reporting has likely come at the most relevant time, but an increasing cybersecurity regulatory landscape does mean additional work for many. Have you quantified your organisations cyber risk exposure in the context of the threats faced and capabilities in place?  

‍