Glasswall via Glasswall Blogs
When the confidential data of 1.2 million patients of Tampa General Hospitals was accessed by hackers this year, it provided a staggering display of how a failure to implement appropriate cyber security measures can put customers as well as the business at risk.
Those affected, whether customers or investors, clamored for accountability on TGH’s end. When such risks can be mitigated through preventative action, organizations have few reasons not to do so – yet, incidents like these occur far too frequently for comfort.
To effect change in how businesses approach cybersecurity, the SEC released a final rule (SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) in July, 2023 mandating a shift in companies’ cyber risk management strategies. To enable investors to accurately assess companies’ resilience or vulnerability to future cyber threats, the rule requires companies to disclose their cyber program, incident response plan, and the impact of cyber risks on their business strategy.
As the amount of power that information holds increases, cybersecurity breaches go beyond compromising confidentiality and causing business disruptions. With this final rule, the SEC has given an impetus to companies to protect their investors’ interests.
The disclosures required by the rule span across three broad areas: cyber incident reporting, cyber risk management and strategy, and cyber governance.
By December 15, 2023, all companies will have to mandatorily disclose on form 8-K that cyber risks can materially affect their business strategy operations or financial conditions, along with previously undisclosed cyber incidents they have dealt with.
As the deadline fast approaches, CISOs can make this transition smoother for their companies by following our four-step approach.
Step 1: Sync Your Business & Cyber Challenges
With its emphasis on protecting investors, materiality is a crucial component of the SEC’s new rule. Material, non-public information refers to information that impacts shareholders and their decision to buy, sell, or hold the company’s shares.
Breaches are unavoidable, so you must determine the investments you need to protect your high-value assets and the situations in which a breach will mandate shutting down your business.
Investments in preventative and detective action need to be increased – if action starts at the point of response, then, unfortunately, it’s already too late.
The SEC has mandated that organizations demonstrate alignment between their business and cybersecurity strategies and how the latter protects the former. While CISOs might easily analyze their internal environments and any information requiring protection, the SEC final rule demands an outside-in perspective. T
Thus, it asks CISOs to go beyond protecting customers and employees, including stakeholders trying to evaluate the company’s status and performance.
Step 2: Bring Your Key Players to the Table
The SEC’s new rule dictates that all material cyber security incidents must be disclosed within four days of their materiality being ascertained.
Such disclosure will have to include the implemented controls, and if these controls don’t actually reduce or manage risk below your threshold, your company will be left vulnerable to a lawsuit.
To protect your company in such an event, you need to have a business-linked plan in place that clearly displays active, ongoing efforts to reduce gaps and weaknesses in your cyber strategy. While board reports have frequently centered on a control maturity scale, an industry benchmark, and your target state, they now need to focus on the actual impact of cyber risks on the business.
A clear focus can be established here by adopting a top-down approach, where you include vital governance pieces in defining your material risk strategy, such as the board of directors, the executive business committee, the working groups, and the technical infrastructure.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
Step 3: Capitalize on Collaboration
Far too often, cyber risk management and reporting are enclosed in a bubble divorced from the rest of the company.
Incident response must be tackled as a shared responsibility for a thorough cyber risk strategy. So, as a CISO, you need to shift from working as an individual actor to bringing together the perspectives of important internal stakeholders in a business-led strategy for protecting investors’ interests.
CISOs now need to ensure that cyber security is a company-wide responsibility rather than just a security team one.
An internal alignment needs to occur within companies to determine materiality, set a threshold for acceptable cyber risks, and chart a plan of action to prevent delays when breaches happen. Collaboration is key here, bringing the CISO, CFO, Legal, Chief Risk Officer, and Compliance Officer to a common ground.
A preliminary step towards including major stakeholders in the assessment and management of material cyber risks is documenting the roles and responsibilities of the security team as well as management in case of a breach.
Rather than an incident response plan based on controls and managed solely by the CISO and the SOC team, creating a business-led cyber risk program and operating model that defines specific roles for important internal stakeholders is important. Such a system will lend an actionable perspective to protecting material assets and remaining below the material risk threshold.
Step 4: New Attitude Towards Cyber Risk Management
Compared to collectively preparing a cyber strategy, retaining a focus on controls is definitely easier for CISOs. It doesn’t require an in-depth understanding of business applications or communication with other business units.
But implementing the SEC final rule won’t allow this status quo to remain.
Maintaining a distance from the ground reality of business and the applications of cyber risk measures to the same will cease to be feasible.
The focus of cyber communications has now been extended beyond impacted customers to include shareholders, investors, the board regulators, and the general public. This further means a whole new set of repercussions that companies must keep in mind while establishing and disclosing their financial, regulatory, operational, or reputational strategy.
An absence of controls results in Key Risk Indicators (KRIs) being used to measure qualitative cyber risks, like the number of high vulnerabilities or firewall rule changes. Due to this focus on qualitative assessment over quantitative data, pre-existing risk management processes seldom reflect material risk accurately.
Determining material risk and defining the specific monetary amount that will impact the business is key here. Your KRIs need to capture the material financial impact of the control failure. This mandates a mindset shift to what risk is there, what the control protects, what the leftover risk is, and what it will cost the business.
Step 5: Built Your Material Cyber Risk Inventory
Your material cyber risk inventory should take stock of your company’s material risk, its high-value assets, and the impact of cyber threats. Working with teams across the organization to appropriately prioritize cyber risks and align security measures is crucial for mitigating the risk to business.
The following steps will allow CISOs to build a material risk inventory for their companies:
- Develop a risk impact quantification scale in collaboration with internal stakeholders like the CFO, the Business, and Legal teams. Using a scale of 1 to 5, determine what a big financial loss looks like from their perspective.
- Jointly determine which risk scenarios actually matter to the business. Put down the impact scores for these scenarios and connect them with the specific assets that can cause those scenarios to take place.
- Note which threat vectors can make that threat materialize. For example, if you narrow down email as a potential threat vector for ransomware, then you will need to figure out what control categories are helping you protect your email – whether that is encryption, data backups, or so on.
- Quantifying the maturity of the controls for managing risk will inform you about the remaining risk level. At this point, you can assess with your internal stakeholders if that risk level is acceptable – and if not, increase investments in those controls so you reach the risk threshold the business determined earlier.
Maturity reports often communicate the work being done without putting across how it is helping the business. Security leaders now need to focus on showing the inherent risk, how the controls are helping reduce it, and how much risk is left, and then use that information to prioritize their cyber initiatives.
Involving important stakeholders in calculating material risk, creating a materiality framework, and adopting KRIs that reflect business risks will simplify disclosures during the production of board reports and in the event of a breach.