On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) made a critical ruling on how public companies will respond to cyber incidents and the details around their cybersecurity, risk management, and governance strategy. This is a monumental step forward in the overall transparency of cyber risk management, considering the increasing frequency of attacks. It is crucial for security leaders to carefully strategize their approach as SEC Rule further elevates cybersecurity to a strategic level within the organization.
Key Takeaways from the SEC Cyber Rules
Disclosure regarding Cybersecurity and Risk Strategy:
The rule will require periodic disclosures regarding companies’ risk management, strategy, and governance with respect to cybersecurity risks. This will help investors effectively assess these risks and make informed investment decisions.
Material Incident Disclosure:
The rule will require the disclosure of “material cybersecurity incidents.” Registrants would be required to disclose the material aspects of the nature, scope, and timing of the incident, as well as the incident's material impact. Companies are also required to disclose the material impact of cybersecurity risks and previous incidents.
Material Incident Timing:
The SEC emphasized that the disclosure requirement of a material incident would be four business days from the time that a breach is determined to be "material" (not to be confused with four days from learning that a data breach has occurred).
Board Expertise:
The rule will require organizations to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
What The SEC Rule Means for You as a Security Leader
The SEC guidelines have been in place for years, yet most organizations are still struggling to comply. The biggest challenge for businesses is determining materiality, which is crucial for protecting shareholder value – they lack the systems to quantify risk, both at a broad and granular level. To make things worse, the constantly evolving cyber risk landscape makes it difficult for organizations to keep pace.
To comply with the SEC Cyber rules, organizations need to focus on processes and methods for identifying top cyber risks and assessing which one of those are or can become material to the business, understanding the gap between your current risk posture and where you must be in 30 days is essential.
With input from experts from the FAIR Institute and hundreds of security leaders of Fortune 500 enterprises, we have identified five key questions that you should consider in your journey to SEC compliance:
- What is our current risk compliance assessment for the SEC ruling? What are our gaps? Have we identified the top risks?
- How can I ensure that the policies, procedures, and technologies we have in place help me understand the materiality of an incident in the context of my business?
- If we are to experience a material cyber incident, is there a way that I can report that an incident happened within four days AND understand what happened? Can I have a prioritized action plan to mitigate and reduce the material impact?
- Is my team managing the top cyber risks proactively and continuously so that I can monitor threats and vulnerabilities before they become material incidents?
- How can I ensure that the executive team and the Board understand compliance with the SEC rule? How can I ensure transparent communication among all of the stakeholders?
“In considering today’s cyber-related disclosure rules, I am guided by the concept of materiality… if an issuer has a material cyber incident, then under today’s final rules, the issuer will need to disclose material information about that material incident.” – Gary Gensler, Chairperson, U.S. Securities and Exchange Commission
How Safe Security Equips You on Your SEC Compliance Journey
It's not enough for businesses to merely have security measures in place – they need to be able to determine materiality, which is core to protecting their shareholder value. This can only be achieved by making strategic cyber investments that reduce the likelihood of material risk breaches. To do this effectively, businesses must translate bits and bytes of cyber risk into dollars and cents of “material” business risk. This requires a significant paradigm shift in how companies approach cyber risk management.
The SAFE platform is an AI-powered, data-driven Cyber Risk Quantification and Management platform that enables organizations with a prioritized way to make trade-offs and changes that would have the biggest material impact on risk reduction. It can help with SEC Rule with:
Identify and Understand the Top Business Risks to Build Effective Cyber Risk Management Programs and Processes
The requirement around periodic disclosures regarding companies’ risk management, strategy, and governance with respect to cybersecurity risks will act as a forcing function for companies to build effective cyber risk management programs and processes that allow for visibility into organizations' control gaps and top risks.
Safe Security, with its AI-driven approach, provides organizations with an aggregated view of enterprise security risk by bringing together multiple disparate cyber signals in a single place. This provides visibility across their attack surface, technology, people, and third parties, helping CISOs understand the top risks. The SAFE Platform allows CISOs to evaluate their cyber controls’ efficacy, mapped to the MITRE ATT&CK and D3FEND frameworks. Enterprise risk scenarios are scoped according to the MITRE ATT&CK Framework, which is continuously updated, to help identify and measure the impact of emerging threats.
SAFE’s Generative AI interface and technology help you to understand your current risk posture at a glance and provide the data you need to make informed enterprise security decisions.
Quantification of Business Risk Based on Open Standards to Easily Understand, Measure and Establish “Incident Materiality”
The legal definition of materiality is unclear and vague. Lawyers have been debating possible interpretations for years. For CISOs, the more fact-based and open the decision process is, the better it is to explain and defend their conclusions about the seriousness of a cybersecurity event.
Safe Security enables the quantification of business risk based on Factor Analysis of Information Risk (FAIR™). It provides an open model for analyzing and quantifying cyber risk and operational risk in financial terms.
FAIR equips security professionals to quantifiably understand the impact of existing gaps in the security posture and can describe the impact of risks such as “downtime due to a cyberattack” in financial terms. If organizations use anything other than financial or numerical terms to measure materiality, it will be challenging to assess the true nature of risk and the threat it poses.
This enables CISOs to translate their actions into a justifiable dollar-value business impact. They can visualize the direct impact on dollar value at risk with every security investment to calculate the Return on Security Investments. Using predictive data models co-developed with MIT, security leaders are empowered to translate the bits and bytes of cyber risk into dollars and cents and effectively communicate it to the board and all risk stakeholders.
Continuous Real-time Monitoring to Potentially Identify & Mitigate Vulnerabilities Before they Become Material Incidents
The SEC guidelines on Cyber Risk Management recommend that companies continuously monitor their security posture to manage cyber risk effectively. This means not only assessing vulnerabilities at a single point in time but also gaining a deep understanding of their security posture on an ongoing basis across the entire attack surface and keeping an eye on their third parties as well.
Unlike first-generation CRQ solutions that provide only point-in-time risk assessments, SAFE’s combination of the FAIR™ Model risk analyses with real-time monitoring provides risk leaders with a continuous view of the state of their cybersecurity controls as well as their top cyber risks. By leveraging the power of the FAIR Controls Analytics Model (FAIR-CAM) and AI, SAFE becomes a single source of truth for your risk management and security operations team.
It also calculates the breach likelihood of your organization, how it compares to your peers in your industry and the potential financial impact of a data breach. This helps you redirect your finite resources to prioritize the control gaps that can have the biggest impact on the risk – helping you tackle threats before they become potentially material incidents. Safe enables organizations to move away from a reactive state and take a predictive approach to cyber risk.
Board Reporting for SEC Compliance and Risk Management Program Execution
The SEC Cyber Rule requires disclosure of the relevant expertise of any members of management that are responsible for assessing and managing cyber risks. It is crucial that you have transparent communication with the Board and other stakeholders so that they understand your SEC compliance strategy & execution of the risk management program.
However, this is easier said than done. Many organizations struggle to communicate their cyber risks in a way that non-technical stakeholders easily understand. Often different stakeholders within an organization have varying ideas of what constitutes "real" cyber risk. In order to address this issue, it's important to have a single source of truth - consistent metrics that everyone can agree on.
The SAFE Platform helps CISOs tell a compelling story to relevant stakeholders that clearly articulates the potential risks and likelihood of an incident, as well as the potential financial impacts. By delivering clear and consistent communication across stakeholders – including board members, audit committees, IT Risk committees, and insurers – you can ensure everyone is on the same page and understands their role in maintaining cybersecurity.
The SEC’s Cyber Rules signify a fundamental shift in how cybersecurity risk will be identified, managed, and reported. It is a landmark achievement that brings needed transparency and focus to cyber risk management. Organizations will need to swiftly adjust their processes in order to comply with the new regulations by the deadline. To keep pace with such guidelines, businesses must proactively pivot towards automated and AI-driven systems that enable them to measure the material impact of cybersecurity risk.
If you’re interested to learn more about how Safe Security’s AI-driven Cyber Risk Management Platform equips your business to meet the SEC’s requirements, schedule a demo with a cyber risk expert today.