Blog Post
New SEC Requirements Unite Security Leaders and Key Stakeholders
August 3, 2023
It all started with a statement from the US Securities and Exchange Commission’s (SEC) Jaime Lizárraga. The commissioner revealed that a staggering 83% of companies suffered from multiple data breaches last year, with an average expense of $9.44 million in the United States— a dramatic increase of 600% over the past ten years.
These drastic figures, although not surprising given the mass shift to an online economy during the Covid-19 outbreak, motivated the SEC and other prominent figures to take action. Finally, a vote was called to finalize regulations concerning cybersecurity best practices, and it was passed three to two.
Here’s how we got here and what it means for you.
Final Rules Demand Timely Disclosures
The SEC's worries regarding the disclosure of cybersecurity information are not novel; in 2018, they issued comprehensive guidance on the matter, and you can find Kovrr's VP Strategic Initiatives, Tom Boltman, thoughts on the subject here.
The new rules, passed Wednesday, July 26, require publicly traded US companies and foreign private issuers to report "material cybersecurity incidents" within four days of positively identifying an event. These companies are also mandated to make annual disclosures describing their ongoing cybersecurity governance and the impacts of previous incidents.
Rising Risks, Costs of Data Breaches
The new changes will go into effect later this year and ultimately are expected to promote more robust cybersecurity risk management practices among corporations by increasing accountability and protecting investors better by ensuring they’re aware of risks exposure.
According to the Commission, the cost to companies and their investors of cybersecurity incidents is rising and at an increasing rate. A 2023 IMB report indicates that the financial impact of data breaches on organizations has increased by 15 percent in the past three years to an average of $4.5 million.
Wednesday’s decision finalizes a proposal for new regulations announced earlier this year. It builds on cyber security guidance issued in 2011 and 2018 and seeks to make reporting more “consistent, comparable, and decision-useful.”
What Are the Underlying Benefits?
SEC Chair Gary Gensler stated that while many companies already have disclosures on their cybersecurity infrastructure, these new rules will benefit corporations and investors in their decisions by making the practice more consistent and comparable.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler said. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
This regulation update is an excellent opportunity for cybersecurity leaders to solidify their position. By forging more robust bonds with the C-suite and Board of Directors, utilizing performance metrics to show the success of their programs, and giving regular, quantifiable updates to those involved, they can do just that.
Compliance Obligations Present Opportunity
Once an incident is identified as “material,” SEC registrants will be required to report any cybersecurity event within four days. They will also be required to describe the nature of the event, timing, and impact or expected impact.
Quantifying cyber risk in monetary terms will be a critical aspect of communicating whether a cyber security incident is, indeed, “material.” Cybersecurity teams can thus ensure that “material” risks are handled appropriately and financial exposure is accurately assessed.
Constructing a strong cyber risk management program that includes quantification gives confidence to both internal and external stakeholders. CISOs may even use the fresh regulations to their benefit, making a case for a bigger budget and more resources by providing regular data on performance and cyber risk assessments.
What’s New and What’s Required?
The fact sheet published by the SEC is a great place to understand the precise rules regarding cybersecurity disclosures.
Primarily, the new regulations implement both incident reporting and periodic disclosure. In a new focus placed on incident reporting, companies must now disclose any material cybersecurity incident, describing its nature, scope, timing, and impact on financial condition and operations.
Again, organizations will benefit from using technology to deliver these insights on demand and comply with these new regulatory requirements.
These scheduled reports will also require enterprises to detail their cyber defense strategies, if any, for reviewing, identifying, and managing cybersecurity threats and the role their board of directors plays in helping to mitigate them. Organizations will also have to provide updated information on the impacts of any previous incident.
Financial Quantification and Automation: More Important Than Ever Before
Organizations that do not use any form of CRQ might initially find these new obligations overwhelming. However, by adopting a platform that translates the level of risk into a financial language stakeholders can understand, organizations can quickly adhere to the SEC ruling.
With a proper cybersecurity quantification platform, companies can easily:
- Automate the risk identification process, including the most complex steps: quantifying and valuing risk.
- Measure and predict impacts and risks to an organization, including ransomware demands, third-party security risks, lost revenue and litigation costs, and more.
Added regulations are often seen as a burden. But in this case, it enables cybersecurity teams to demonstrate how they can contribute to the company's success. The CRQ software approach encourages measurably reducing risk, straightforward communication, and thorough organizational knowledge.
Defining Materiality With Kovrr's Cyber Materiality Analysis
One of the most challenging aspects of cyber materiality is developing a clear definition. Kovrr's cutting-edge cyber risk quantification (CRQ) methodology and Cyber Materiality Analysis feature simplify this process with automated calculations that determine these materiality thresholds based on the single basis point of revenue, offering clarity and control to all key stakeholders in an increasingly unpredictable digital landscape.
To learn more about this innovate materiality feature and how Kovrr can assist with the material determination process, streamlining compliance and disclosures, read Materiality Analysis Offers Risk Managers Data-Driven Loss Thresholds or contact one of our risk management experts today.
If you would like to find out more regarding how Kovrr can assist your business to conform to the new regulatory requirements, book a demo with our team.