In an era where technology, including cloud computing, the Internet of Things, robotic process automation, and predictive analytics, is becoming increasingly integral to businesses, the risks of cyber threats are mounting. Large corporations have a one in four chance of experiencing a data breach, which can lead to multimillion-dollar losses, while smaller businesses face the risk of closure within six months following a severe cyber attack. Thus, managing and evaluating cyber risks has become crucial for business success and is a key concern for investors.
Regulators, acknowledging the need for transparency in managing cyber risks, have introduced new cybersecurity rules. The U.S. Security and Exchange Commission (SEC) is tightening its regulations to ensure businesses establish appropriate cybersecurity measures and disclose any related risks or incidents.
However, researchers indicate that understanding cyber risks is challenging. Organizations often underestimate the financial impact of cyber threats. Immediate effects could include business disruption, reduced production, product launch delays, and the extra costs associated with recovering from an attack. Long-term impacts might entail loss of competitiveness, reputation damage, and revenue loss due to theft of intellectual property or proprietary information. Neglecting cyber resilience can also result in legal repercussions.
There’s no simple solution, as both overinvestment in cyber risk management and ill-aligned risk management strategies can be detrimental. This article underscores the importance of the SEC’s new cybersecurity regulations and suggests four key topics investors should discuss with company boards to evaluate the effectiveness of their cyber risk management strategies.
The new SEC rules now necessitate transparency in cybersecurity. Companies are required to disclose their cyber risk management capabilities, including how the board oversees cyber risk, the management’s role in assessing and managing cyber risks, their relevant expertise, and their part in executing the company’s cybersecurity policies and strategies.
Companies are also obligated to report “material” incidents within four days of their occurrence. The concept of “materiality” is based on the impact of the incident on the business’s operations and financial health. These regulations enable investors to assess the efficacy of a company’s cyber risk policies and can offer insights for future improvements in cyber risk management.
To proactively manage cyber risks and stay a step ahead, companies must adapt to changing internal and external environments and prioritize their cyber risk efforts accordingly. Board members can feel overwhelmed by the complex and dynamic nature of cyber risks, leading to blind spots in cybersecurity-related decisions and causing what is referred to as a “capability trap,” a gradual deterioration of critical organizational processes.
To avert this trap, the long-term effectiveness of strategic decisions in the following four areas should be emphasized:
Cyber risk management must be aligned with business needs.
Since boards face numerous challenges and limited resources, the business case for investment in cybersecurity needs to be made clear. This helps board members understand and discuss cyber risks, especially those without a technical background, and allows the risk to be compared with other business challenges.
Continual monitoring of cyber risk capability performance is essential.
As the components of a business change, more areas need protection, putting a strain on security capabilities and making breaches more likely. Continuous monitoring can confirm if the cyber risk management strategy is working as intended, offering insight into potential improvements.
Companies should proactively anticipate changes in the threat landscape.
Digital transformation has made attacks more potent and sophisticated. Proactive cyber risk management allows organizations to learn from shared information and preemptively improve security capabilities, reducing the incidence of significant security incidents.
Security should be considered a strategic business enabler.
The implementation of a cyber risk management strategy can be challenging, given the increasing areas requiring protection and the lack of qualified security resources. Effective ongoing workload reduction becomes crucial, which requires secure by design, cooperation with other entities, automation, and the realization of economies of scale.
The SEC’s new cybersecurity rules establish a framework for transparency in companies’ cyber risk governance, which should be seen as a starting point for conversations about long-term cyber risk governance efficacy. This article outlines four critical areas to be addressed in these discussions.