In February of 2018, the Securities and Exchange Commission (SEC) updated its guidance statement on cybersecurity, expanding the scope of the guidance initiated in 2011. It might seem unlikely that a regulatory group set up to protect the U.S. economic markets is writing specific guidelines for cybersecurity. But as the risk of cyber attack increases, so does the financial impact on publicly traded companies. Put simply, cyber risk equals business risk, and the SEC’s role is to protect investors by ensuring publicly traded companies provide full disclosure of all types of financial risk, as well as protecting against possible insider trading that could occur before public disclosure.
What You Need to Know about the New Guidelines
The new guidelines expand on the initial guidelines set out in 2011. At that time, all that was required of companies was disclosure of cybersecurity risks and incidents that were of “material” concern to the finances of the company. Unfortunately, a lot of incidents went unreported due to various interpretations of what was a material concern.
These expanded guidelines set a new measurement standard for the costs associated with cyber risks and attacks, putting it into monetary terms to determine the significance of the impact on the business and its shareholders. This means companies will need to disclose the impact of cyber attack from business, financial, and operational standpoints.
The new guidelines recommend that disclosures cover:
- Frequency of cyber events based on past experience
- Probability and magnitude of incidents (costs, in financial terms)
- Adequacy of controls
- Third-party suppliers that might create material risks
- Amount of insurance coverage
- Potential reputational harm
- Relevant laws and regulations
- Potential fines and judgements from cybersecurity incidents
For business executives who previously thought cybersecurity was an IT problem that could be addressed with proper firewalls, these new guidelines bring into light the very fact that cybersecurity isn’t just an IT problem, it’s an entire business problem. To learn more about the new regulations and how they affect your business, visit the SEC page Cybersecurity, the SEC, and You.
Putting Cyber Risk Assessments into Practice
In order to remain compliant with SEC disclosure guidelines, every publicly-traded company must now put into practice full cyber risk assessments, and report those findings to investors and shareholders. But how exactly do you go about this? Cybersecurity assessment tools have been in place for years for large companies. But small to medium sized businesses have traditionally been unable to afford these assessments, and at the same time are limited in resources as far as having staff that can undertake this assessment.
Long before the SEC created its guidelines, Threat Sketch was educating the business community on the all-encompassing reach of cyber attacks. Founders Rob Arnold and Nathan Powell have worked to create a risk assessment tool designed specifically for small to medium-sized businesses that is not only effective but also affordable.
Going through the risk assessment process allows a company to get a full view of how far-reaching the effects of a cyber attack can be. The process helps business executives assemble a team to assess the company’s risk factors and put in place a plan for prevention and preparedness that will help satisfy investors while protecting the company.
To learn more about how to put a cybersecurity plan in place and fully assess your company’s financial risk, visit Threat Sketch’s small business solutions or check out Rob Arnold’s recent book, Cybersecurity: A Business Solution.
About the author: Karen Alley is a freelance writer and editor and has worked for over 10 years writing web content and blogs for various businesses.