Learnings From First Batch of SEC-Required Incident Disclosures

Don’t be caught off guard with SEC new cybersecurity regulations, prepare!

Don’t be caught off guard having to disclose a cyber incident to comply to the new SEC regulation on cybersecurity. It’s important to prepare ahead of time and agree internally on what should be considered a material cyber event for your company, in what format you should report it and how much information should be provided.

The reality is, that in most cases, the scope of the incident won’t be fully understood until the forensic team has completed its work which might take more than the four days specified in the regulation. Once the scope is understood, an estimated dollar amount for the recovery work attached to the incident will be defined. Such metric should be essential in deciding whether the event is material or not.

There are some learnings from the first set of disclosures that have been made. They have been criticized and even qualified of being non-compliant (Forbes: Companies Are Already Not Complying With The New SEC Cybersecurity Incident Disclosure Rules). The companies mentioned in the article have made an incident disclosure, so they must have determined that the incident is being material to a reasonable investor.

But none of them explained why the incident is material or how they reach the conclusion that the incident is material. As mentioned above, it is highly unlikely that these companies had the full picture and could estimate the overall scope and cost of the incident to the business at the time of disclosure.

So, what can be done?

Unless the SEC amends the regulations, companies should be better prepared. For most companies, quantifying cyber risk would get them tangible information to decide what to disclose when an incident occurs. With evidence-based estimates of losses for each category of attacks at various facilities, cyber risk quantification provides immediate guidance on the range of damage and financial impact that a company faces when an incident occurs.

The benefits of cyber risk quantification are plentiful:
  1. Cybersecurity teams can take much better decisions and allocate resources to where they can have the greatest impact.
  2. CISOs can justify cybersecurity investments to their CFO and the board.
  3. Cybersecurity teams can track the progress of their risk reduction efforts over time.
  4. Companies can refine their risk transfer approach and optimize their insurance premium.

If your organization has responsibility over the cybersecurity of OT environments, DeNexus get you started with quantifying your risk at no cost.Contact us today.

Note: It’s worth noting that, in parallel, a handful of public entities have started to issue 10-K annual reports that address the new cybersecurity requirements from the SEC for cyber risk reporting and governance. Harvard business Law School has already analyzed these early batch of 10-K reports: Cybersecurity Disclosure Report.