An increasing number of boards of directors (BoDs) are paying greater attention to their cyberrisk exposure, which has placed pressure on security teams to provide BoDs with what they need. Some boards employ cybersecurity experts as members and others source external experts to advise them. However, corporate governance is not the only item placing pressure on security functions to step up their risk reporting. The US Securities and Exchange Commission (SEC) proposed new cyberrisk reporting requirements to address incident reporting and security operations.
It is safe to assume that no matter where an enterprise resides, there is a trend toward increased regulatory requirements for cyberincident disclosure and cyberrisk reporting. Even if there is not pressure from the government to do so, corporate governance best practices will compel BoDs to ask more pointed questions about control effectiveness and loss potential. Indeed, many cyberrisk professionals are already being required to upgrade their risk reporting since phishing testing metrics are no longer sufficient. Further, the investor community is looking to evaluate security posture and loss potential across broad swaths of the enterprise landscape without having to become experts on cybersecurity. As a result, proxy advisors are including security performance metrics in proxy reports.
Given this trend, an important question to ask so that cybersecurity and cyberrisk teams can begin preparing today is, “What might the next wave of cyberrisk reporting look like?”
It is reasonable to forecast that some version of the following will represent best-in-class cyber disclosure requirements:
- Measures of cybermateriality that include quantitatively computed values of security control performance measured against peer cohorts. Performance that deviates from the peer cohort in the reporting period should be considered material and be disclosed as such.
- Future-looking reports of the potential financial impact of relevant cyberevents should be imputed. Such measures should account for organizational control postures and if such computations indicate losses in excess of a materiality threshold (computing using typical American Institute of Certified Public Accountants [AICPA] financial benchmarks), then those scenarios should be reported as being material.
- Organizations should disclose how they plan to address the financial impact of cyberevents with specific indications of insurance risk transfer mechanisms, capital reserves and/or investment in risk reduction through cybersecurity capital outlay.
- Organizations that are not measuring their cybersecurity and cyberrisk using the aforementioned methods and/or that have no plans to address the financial impacts should disclose that as a material deficiency in their security and risk operations.
The aforementioned disclosure guidelines go beyond the current state of security disclosure requirements (typically some version of acknowledging publicly that an incident has occurred) and focus more on potential future cyberevents. Such information provides significantly more data to investors about how well an organization's cybersecurity program is run and the degree to which their investments would be at risk of a cyberevent occurring. Organizations that currently invest in cyberrisk quantification (CRQ) programs have an advantage compared to those that have not yet begun assessing risk in this manner. A good resource for organizations looking to begin their CRQ journey is ISACA’s Cyberrisk Quantification white paper. Whatever the future may hold for cybersecurity and risk reporting, it is a safe bet that maturity will only increase—and mature organizations plan for the future.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is a vice president and head of cyberrisk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.