Boardish Makes Mandatory SEC Cyber Reporting Simple for Boards
The world was put on the fast lane to digital when COVID-19 hit. And this pivot brought with it more cyber incidents. The year 2021 saw an increase in data breaches by 17% from the previous year which equates to an average of $4 million in losses on average for every incident.
The lack of a consistent (and in many cases, any) reporting and disclosure standard has prompted the US Security and Exchange Commission (SEC) to propose new mandatory regulations. According to the new guidance, publicly-listed companies would be required to report their cybersecurity practises and provide more details on material breaches, and other information.
Why the new SEC rules?
The main objective is to enhance the existing guidelines and standardise the reporting process but it also means:
- With this public disclosure, investors, shareholders, and other stakeholders can evaluate a company’s cybersecurity practices and this could have an effect on a company’s value.
- For the company, the new guidelines can kickstart initiatives for a stronger cybersecurity posture, and gives technology and cyber a seat at the table alongside other core functions.
- Once implemented, organisations will need to look at their existing protocols and make new plans. And this is where Boardish will come into play.
What Are The New SEC Cyber Disclosure Rules?
After several high-profile cybersecurity incidents and the increasing number of attacks, the SEC deemed it necessary to re-evaluate its current cybersecurity risk guidance. This resulted in the new disclosure rules which were designed after the SEC’s more aggressive stand on mitigating risks.
With the announcement, the SEC will require businesses to disclose pertinent information on potential risks and actual data breaches. Once implemented, companies will be mandated to:
- Submit detailed cybersecurity incident reports. This includes updates on reported incidents.
- Disclose the company’s cybersecurity practises such as cybersecurity risk governance, risk management, and strategies, as well as the Board’s cybersecurity expertise and oversight of these cyber risks.
The new mandates will expand the SEC’s 2011 and 2018 views on a company’s disclosure obligations on cybersecurity risks and incidents. But more importantly, the new guidelines highlight the importance of cybersecurity risk management.
Once implemented, the guidelines will improve the current disclosure guidelines. Unfortunately, existing practices can prove to be inconsistent. And with reports submitted in an untimely manner, it only shows the lack of urgency when it comes to cybersecurity. It doesn’t do any favours to an organisation’s cybersecurity posture.
SEC Proposed Guidelines: The Highlights
Here’s what you need to know…
Incident Reporting Practice
The new guidelines hope to address the issues with the current incident reporting practice. To do this, the SEC will require companies to disclose the following information:
- When the indecent occurred and if it’s an ongoing issue.
- A short description of the incident, including the affected areas in the organisation.
- Any incident of data loss, alteration, unauthorised access, manipulation, or unauthorised use.
- Actions taken to correct the incident, if any.
Aside from these, companies are also required to provide significant updates on all reported incidents. This includes any material changes and significant developments from the time of the incident.
These disclosures are to be included in the quarterly or annual report, whichever is applicable. With this, shareholders and stakeholders will be made aware of important matters that could put the company in the spotlight.
Another important disclosure involves how material an incident is. Some cybersecurity incidents may be immaterial on their own but can be significant in the big picture.
Failing to report minor breaches isn’t uncommon, but making this a practise can fail to prevent or detect bigger incidents. The new SEC disclosures aim to prevent this from happening.
Cyber Strategies, Risk Management, and Governance
But more than the pertinent details of cybersecurity incidents, the new guidelines will also require disclosures on a company’s existing cybersecurity strategies which include risk management and governance.
Some of the expected disclosures include the following:
- An overview of a company’s existing cybersecurity risk assessment program and the impact of identified threats to the business
- Any third party involved in the company’s cybersecurity risk assessment
- Policies and procedures that manage any cybersecurity risks related to its use of third-party providers
- Existing protocols that mitigate cybersecurity risks and exposures
- Business continuity plans in the event of material cybersecurity incidents
- Cybersecurity expert/s at the Board level, if any, and a description of their expertise
How The New Rules Will Affect Businesses
This doesn’t affect all businesses. If approved, this will only apply to publicly listed companies. Privately-owned businesses, regardless of their size, are not within their scope…yet.
For public companies, these disclosures may have a huge impact on the company’s value. This only highlights the importance of having a strong cyber strategy.
These new disclosures have the potential to expose flaws in a company’s cybersecurity protocols. Making improvements to meet regulations can have a major impact on business operations and the company balance sheet.
And as Board managed companies grasp the changes that will come from this new mandate, it’s most likely that new cybersecurity practises will be adopted. After all, cyber is intrinsically tied to the digital age. Board members will now have to look at cyber more seriously if they haven’t done so yet.
Now, having a strong cybersecurity posture will increase brand value and consumer confidence, both of which can increase stock prices. And not having one can cause the value to plummet once those failings have been disclosed.
The good news is, the CTO, CISO and other IT professionals can use this proposed SEC disclosure mandate as a springboard for cybersecurity discussions. Especially if it was previously difficult to engage the board.
After all, disclosure of cybersecurity failures has serious consequences, especially if customer data is affected. And because disclosure compliance will be necessary, that’s where Boardish comes in…
Why Use Boardish For SEC Cyber Reporting
Bridging the gap between IT and cyber and the board is key for fast, clear decision-making. The reality is, having a strong cyber strategy that is embedded with business goals can be difficult, which is why communicating at a board level is important.
Boardish allows you to translate cyber threats and solutions into the language of the business so that the board can be confident they are making the right decisions, quickly.
Cyber professionals present the need for cybersecurity protocols without using tech jargon. Instead, they can use the financial language to justify the spending needed to mitigate the risks. And it’s this language that the Board understands.
And when it comes to cyber reporting, here’s how Boardish works to your advantage:
Quantify the Financial Impact of Threats
We’ve moved past the days of traffic light systems to present risk. They no longer mean anything.
Whether it’s reporting to the Board for SEC compliance, or simple budget approvals, cyber risks are easier understood through their financial values. With Boardish, you can simulate incidents and see their financial impact.
From market and regulation loss, to sales and salary loss, you can see how your business is affected on a micro and macro level.
Without these values, it will be hard to estimate how they will affect the organisation. And this can lead to more questions in the eyes of the SEC, shareholders, and customers. Worse, the company can be perceived as hiding material risk or having no real knowledge of the potential disaster.
Bridge the Communication Gap
C-level executives make decisions based on different numbers and figures that affect various parts of the organisation. For the IT department, the only way to get a fast decision is to speak the language that the board and executives understand.
By presenting financial values related to cybersecurity, C-level executives will have a better appreciation and understanding of cyber. This can lead to a faster approval process and implementation of cyber protocols. And with those protocols in place, companies can be more confident when it’s time to report to the SEC and shareholders.
Understand the Past, Present, and Future
Boardish connects to other tools and data sources to quantify exactly how effective your current controls are, and what they have actually protected against in the past. Based on logs we can tell you how much you’ve mitigated, and how much you’re truly at risk to give you a present-day snapshot of your posture.
You can then use this data to make informed forecasting and simulations for the future. So you can identify vulnerabilities from a business perspective and take risk assessments to the next level. This will all form part of the risk disclosure mandates.
Project ROI on Cybersecurity Investments
As with all business functions, justifying investment into tools and solutions starts with ROI (return on investment). Investing in cybersecurity tools and programs isn’t cheap and without understanding the financial exposure, and current mitigation, you can’t provide an accurate ROI number.
With Boardish we provide a dedicated dashboard that not only provides ROI, but KPI’s so you can decide how effective a tool needs to be before you commit to purchasing. With an ROI figure, you’re a lot more likely to get approval, and justify spending decisions as a CISO or CTO.
If you want to get started with Boardish, communicating cyber to your board or becoming SEC compliant ahead of time, drop us a message or get in touch here: https://www.boardish.io/
Charlotte Ratcliffe
