Many Companies Will Need to Upgrade Cybersecurity Risk Oversight to Comply with Anticipated SEC Rules
By AJ Sarkar, Founder and CEO of OptimEyes.ai
The US Securities & Exchange Commission (SEC) recently proposed rules that would require public companies to release detailed reports on their cybersecurity risk management, strategy, oversight, and incidents.
These disclosure rules, if enacted as expected, will require companies to address cyber risk management at the board level, as a strategic imperative, and publicly. Companies that fail to raise their game run the risk being left behind.
If the rules are enacted, enterprises will need to:
- Report material cyber incidents within four days of identification and comply with additional incident reporting requirements.
- Disclose cyber risk policies and procedures in detail — including their role in the company’s financial planning, capital allocation, and business strategy.
- Describe board oversight of — and expertise in — cybersecurity.
In its proposal, the SEC notes that cybersecurity threats are on the rise, increasingly sophisticated, and a serious risk to companies and investors. “Public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents,” the document says. It notes that CEOs of the largest 200 global companies have called cybersecurity vulnerability the top threat to business growth and the international economy.
The Growing Risk in Risk Management
This is the latest example of stakeholders carefully evaluating companies based on cyber readiness.
Companies often manage risks in functional silos, collect and assess risk data in standalone spreadsheets, and fail to give C-suite execs and board members a big-picture, holistic view that ties risk to strategic objectives.
These enterprises lack a common viewpoint and terminology for addressing risk across functions and between operations, management, and leadership. They may miss emerging threats until they escalate into crises and fail to weigh the magnitude of one risk against another.
These blind spots will be apparent if the new SEC disclosure rules are enacted. And the impact may be greater than a failure to comply with regulatory requirements. A worrisome cyber narrative can threaten a company’s reputation, customer confidence, business opportunities, market valuation, and potential to secure investment.
Thankfully, next-gen risk modeling technology gives companies a holistic view of their enterprise risk, so they can demonstrate their command of cybersecurity and reassure regulators, investors, customers, and other stakeholders.
The New Age of Risk Modeling
Gartner says Integrated Risk Management is “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” And it requires a company’s risk and security leaders to address six attributes: risk strategy, technology, monitoring, assessment, response, and communications & reporting.
Effective Integrated Risk Management can be built upon an Integrated Risk Modeling platform that enables companies to capture, analyze, customize, benchmark, and report risk data. With this intel-in-context, they can see the big picture, ensure their cybersecurity programs support the organization’s strategic objectives, set priorities thoughtfully, and create informed responses and remediation plans.
Here are four questions risk and security leaders can start with when they’re evaluating an Integrated Risk Modeling solution:
- Does the platform take in your operational data and strategic objectives to report on current risk exposure and provide organization-specific insights?
- Does it provide benchmarks that take account of industry type, company size, risk appetite, and data assets so comparisons with peers and competitors are hyper-targeted?
- Does it quantify the financial impact of risks to inform priority setting and resource allocation?
- Does it visualize data in an intuitive dashboard that can be customized so executives, functional management, and operational personnel can access the information they need?
These capabilities will position companies to comply with the proposed SEC disclosure requirements, reassure key stakeholders, improve risk management outcomes, and gain an advantage over competitors. For more information on the OptimEyes.ai solution, visit here. To request a demo, contact us here.