Last week, an important Securities and Exchange Commission (SEC) Interpretive Guidance, which we analyzed in a Protiviti Flash Report, set the bar for corporate cybersecurity risk assessments. One particular aspect of the new guidance relating to how companies conduct risk assessments and report on cybersecurity risks is the need to understand “the range and magnitude of the financial impacts” of cyber risks and incidents.
This is a significant clarification. For the purposes stated by the SEC, most companies’ existing risk assessment methods won’t likely make the cut in terms of informing the disclosure controls and procedures the SEC is expecting companies to have in place. I touched on this in a previous post, when I wrote about the need for cybersecurity metrics that matter. In its latest guidance, the SEC is raising the bar by suggesting that companies need to disclose both the likely frequency and magnitude, in financial terms, of cyber threats. Depending on the complexity of their systems and exposures, this expectation requires companies to mature beyond simple “high, medium, low” risk assessments. One way to do that is to perform a quantitative cyber risk analysis.
This change appears daunting, but it is not time to panic yet. I commonly find that companies that struggle to adopt more mature quantitative cyber risk measurement approaches share one or more of the following misconceptions: cybersecurity is too complex to measure accurately; they don’t have enough data; or cyber risk measurement requires expensive tools. But as Douglas Hubbard, author of How to Measure Anything in Cybersecurity Risk says, it’s good to keep these four things in mind:
- Your problem is not as unique as you think.
- You have more data than you think.
- You need less data than you think.
- There is a useful measurement that is much simpler than you think.
What Does SEC Expect, Exactly?
The SEC frames its expectations in the context of disclosure controls and procedures. These policies, mechanism and procedures should ensure “disclosure of cybersecurity risks and incidents in the appropriate timeframe…[through] an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.” With assistance of counsel, each issuer must decide what this means to their specific circumstances.
I would advise companies to use more mature forms of risk analysis to determine the materiality of cybersecurity incidents to their business and shareholders and include in their analysis and disclosure the financial, legal and reputational consequences of those risks.
The SEC recommends that companies consider the following factors, among others, in evaluating and disclosing cybersecurity risk:
- Historic frequency of cyber incidents
- Probability and potential magnitude (losses) of future cybersecurity incidents
- Specific risks associated with the business and its operations
- Adequacy of cybersecurity protections
- Potential for reputational harm
- Litigation, regulatory and remediation costs associated with cybersecurity incidents
This will require some work on behalf of companies, and engagement from all sides of the organization, not just IT. In our work with clients, we often discover risk registers that consist of a combination of threats, control deficiencies, threat actors, technologies and other unquantifiable IT realities. These won’t work anymore. The new SEC guidance makes it clear that cyber risk is business risk and needs to be expressed in those terms for the company’s disclosure committee to evaluate.
So How Do You Define Cyber Risk Now?
Most companies will need to deliberately define cybersecurity risk in a new way to meet the spirit of the SEC guidance. Companies should ask themselves whether they currently measure cybersecurity risk from the viewpoint of the business and the need of shareholders for material information, and whether they can articulate the business impact of a cybersecurity incident in monetary terms. A company’s risk register, for example, should be focused on those risks that impact the business. It is important not to conflate assets, technologies, threat vectors and threat methods with actual risks. For example, ransomware is a threat method, but loss of access to critical data is the risk.
As I’ve implied, the SEC has not endorsed any particular model or method for accomplishing this, but we have found quantitative and probabilistic methods, such as Factor Analysis of Information Risk (FAIR), to be effective in our fieldwork. Not only does FAIR allow companies to measure the financial impact of their risk but also provides a standard risk language to ensure consistency. A probabilistic model of risk using financial loss is the only robust way to determine which risks have a material impact on the business or shareholders, and it allows companies to inform their boards about these risks in quantitative terms to enable better decision making regarding possible disclosure.
This kind of risk analysis will involve the business users, asset owners and other people who may not have previously been involved. These are the people who are closest to the potentially threatened assets — the so-called “crown jewels” — and who know the value of what needs to be protected from a business standpoint.
Finally, in addition to quantifying risks and potential costs, the SEC will be looking for quantitative analysis to support the efficacy of proposed controls. Fortunately, this can be accomplished using the same quantitative tools and simulations used to quantify potential losses. Using methods like FAIR, an analyst can demonstrate the risk reduction of a control in financial terms. Not only does this help meet the SEC guidance, but also becomes a valuable tool for evaluating potential investments in cybersecurity technology and controls. Being able to demonstrate “return on control” the same way as for any other capital investment is a powerful tool for any organization.
In closing, the latest SEC guidance should be seen as a wake-up call for most organizations. To meet the Commission’s expectations, management needs to inform its disclosure controls and procedures with sufficient, timely information. One way to do that is to conduct a periodic, robust quantitative cybersecurity risk analysis to proactively identify new and emerging cyber threats. Such assessments should take into consideration the changing cyber threat landscape, the company’s “crown jewels,” the business outcomes management and the board seek to avoid, the nature of the industry and business model, and the issuer’s visibility as a potential target. We believe these assessments are important because many companies have not performed company-wide cyber risk assessments with a focus on business outcomes (as opposed to a narrower technical risk assessment) — but they need to do so now.