In the U.S., the Securities and Exchange Commission (SEC) has adopted new rules related to cybersecurity risk management, strategy, governance and incident disclosure for public companies.
Scott Kannry, CEO and Co-Founder, Axio considers the impact of the rule on day-to-day operations in many businesses, noting: “Now that the SEC cybersecurity rules are in effect, you don’t want to be the company who has a cyber event and isn’t prepared. For most public companies, the first deadlines are December 15th and 18th, so the time to get ready is now.”
As to how to approach the process of change, Kannry explains to Digital Journal that there are two strategies. Here he clarifies: “When viewed through a simplified lens, there are two sides to the rule”.
Outlining these, Kannry puts forward first:
“The disclosure side speaks to having better disclosure as to how the company (more specifically, Board of Directors/Management) is governing and overseeing the cybersecurity program. Companies have to be more forthright about the methodologies and frameworks they are using to manage cybersecurity.”
Secondly, Kannry states:
“The other side speaks to how to determine if a cyber incident is material to investors in the company. This is, whether a cyber event negatively impacts an investor’s investment in the company.”
How can this be translated into practical advice? Kannry recommends: “To ensure that your company is prepared on the disclosure side, you must quickly evaluate the methodologies in place that govern cybersecurity from a board level standpoint. If it’s a hodgepodge of spreadsheets and new consultants every year, you aren’t going to have consistency.”
Drawing on his own experience, Kannry states: “I often draw the analogy to financial management reporting where it’s important to have a trusted and consistent methodology, and capabilities in place to support the utilization of that methodology. For example, do you have the cybersecurity equivalent of an FP&A platform? If the answer is yes, you have the underpinnings to meet the requirement.”
Expanding on his advice, Kannry says: “On the materiality side, it’s the same logic from a different perspective. How would you define if an incident is material as it relates to investor materiality? How does that relate to the way that you define other risks from a materiality standpoint?”
In seeking to answer these points, Kannry puts forward: “For all other areas of risk that might find their way into a company’s enterprise risk management program, that’s typically defined in dollars and cents. We need to do the same thing in cyber and to do so we can use cyber risk quantification. If you currently define cyber event materiality as the percentage of endpoints impacted, can you effectively translate that into operational impact and potential financial impact on the business? If the answer is no, your company is not ready to meet the requirement.”
