Navigating Cybersecurity Risk Under New U.S. Rules

Navigating Cybersecurity Risk Under New U.S. Rules
February 15, 2024 5 mins

Navigating Cybersecurity Risk Under New U.S. Rules

test

Rulemaking from the Securities and Exchange Commission (SEC) highlights the importance of company transparency with investors and regulators around risk management and the impact of cyber events.

Key Takeaways
  1. Public companies are required to annually disclose information regarding cybersecurity risk management, strategy and governance.
  2. Public companies are required to disclose material cybersecurity incidents generally four business days after determining that the incident is material.
  3. The fallout from a reputation crisis can be far greater than any short-term earnings losses, with some companies losing significant shareholder value due to cyber events.

In recent years, there has been an escalation in the risk and impact of cyber events. As a result, the SEC has recognized in its recent rulemaking the importance of company transparency with investors and regulators around cybersecurity risk management and the impact of cyber events.

The SEC Cybersecurity Disclosure Rules have received a lot of attention, primarily due to the short timeframe of the requirements to disclose “material cybersecurity incidents.” However, the implications are considerably broader.

What does the SEC want?

The rules require public companies to:

  • Annually disclose information regarding cybersecurity risk management, strategy and governance.
  • Disclose material cybersecurity incidents generally four business days after determining that the incident is material.

The requirements have generated a significant amount of analysis and interpretation. Erik Gerding, the SEC’s Director of the Division of Corporation Finance, explained the “rationale and mechanics of these rules:”

Quote icon

Our goal as staff is not simply to have another rule on the books ... We are hoping to elicit tailored disclosures that provide consistent, comparable, and decision-useful information to investors...

Erik Gerding
Director, SEC Division of Corporation Finance

The SEC’s rulemaking is clear on what needs to be done, but it does not provide a roadmap for building strategic decision-making processes that would support the required disclosures.

There have been many discussions around the difficulties presented by the disclosures required when a company has a cyber event, including the fact that these disclosures would be made while the corporation is in the early stages of managing a crisis and could raise alarm bells before the firm has all the information needed to respond to public concerns.

But this fear underlines the fundamental problem that the SEC is trying to address. Cyber attacks and data breaches are the number one risk facing organizations globally and predicted to remain so through at least 2026. Cyber events can have an impact all areas of an organization. The fallout from a reputation crisis can be far greater than any short-term earnings losses, with some companies losing significant shareholder value.

What should public companies do?

1. Define a process to implement cybersecurity risk management, strategy and governance.

Board Assessment

  • How is the board overseeing, managing, and enabling cyber risk management across the enterprise?
  • Conduct risk management, strategy, and governance reviews in collaboration with legal
  • Prepare and submit disclosures that communicate how cyber risk is being managed

Define Risk Appetite

  • Focus on priorities
  • Allocate resources
  • Optimize outcomes in the context of risk reduction

Enterprise Risk Assessment

  • Use pre-defined risk appetite as the framework
  • Assess how risk is being managed throughout all phases of the risk lifecycle:
    • Identify and assess risks
    • Implement proper controls
    • Establish capabilities to ensure that the organization can recover from an adverse incident
    • Address weaknesses in current control implementations
    • Monitor the threat landscape for emerging threats
2. Disclose material cybersecurity incidents.

Risk Quantification

  • Conduct scenario-based impact quantification studies
  • Quantify results in the context of corporate risk tolerance
  • Understand the near- and long-term financial impacts of adverse cyber events
  • Create materiality decision-making framework around results

Response Review

  • Create internal processes and capabilities for management decisions-making around materiality and disclosure
  • Document processes in plans and playbooks
  • Link and coordinate risk management, business continuity planning, disaster management and disaster recovery plans to board, legal and compliance oversight

Materiality Workshops and Exercises

  • Stress test the components, data inputs and responsibilities through simulation
  • Engage outside resources (particularly legal and public relations) in simulations to ensure consistency of protocols and messaging
  • Engage senior leadership to understand and define roles and responsibilities in making materiality decisions
  • Refine and repeat the exercise as the corporate structure, risk profile and threat environment evolve

Aon has global resources and capabilities to help companies put a structure in place to make better decisions and implement these across a corporate framework. Importantly, Aon can also structure risk financing solutions to mitigate the impacts of cyber events directly with Cyber Insurance and Directors & Officers Insurance.

Aon's Thought Leaders
  • Tom Ricketts
    Managing Director, Aon
  • Nick Reider
    Senior Vice President and Deputy D&O Product Leader, North America
  • Lynn Burns
    Cyber Director, Cyber Security Advisory, North America
  • Laura Wanlass
    Partner and Practice Leader, Global Corporate Governance and ESG Advisory

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner