With the increased frequency of cyberattacks and continued growth of cyber threats, the Securities and Exchange Commission (SEC) is considering rules for oversight of cyber risk with the goal of protecting investors and ensuring market stability. Management Teams, Boards and IT Security leaders can prepare for these oversight requirements by increasing shared understanding of risk founded on practical cyber risk narratives and use this as an opportunity to turn cybersecurity preparedness into a competitive advantage.
Successful cyber attacks can expose sensitive Firm information, interrupt business operations and potentially cause systemic disruptions of financial markets. The SEC is working on multiple new cyber risk management and oversight rules for Investment Advisors & Investment Companies and for public companies. The intent is to ensure investor protections and market stability from such cyber attacks.
Under evaluation are additional requirements for cyber incident reporting and policies & procedures to guide day-to-day cyber risk management. In addition, a focus on oversight of cyber risk by Management Teams and Company and Fund Boards is also being evaluated.
While the focus on additional policies, procedures and controls isn’t new for such rules, the additional scrutiny on management oversight in implementing policies and procedures, and on the Board’s role in the oversight of cybersecurity risk, warrants a closer look.
Changes to Risk Oversight
Management Teams and Boards use a variety of methods to understand cyber risk today. Central to the success of effective oversight is the comprehension of complex cyber risk by those responsible for oversight.
The proposed rules evaluate disclosure requirements related to cyber risk review during business strategy setting, financial planning and capital allocation. Documentation of the Board’s role in performing oversight activities for cyber risk is also being considered.
Once finalized, these new oversight requirements for Management Teams and Board Members can represent a significant change relative to current methods. With the new rules, limited oversight of cyber risk may become significantly more consequential for Management Teams and Board Members.
While some may perceive these changes as burdensome, these rules may be the catalyst necessary to make a paradigm shift from how oversight of cyber risk is performed today.
Enabling Cyber Risk Oversight
Understanding and managing risk with traditional approaches such as risk registers and heat maps are fraught with many challenges (some of which are highlighted here). Other approaches that rely solely on technical indicators or on aggregated numeric scores inhibit understanding the impacts to the business. Using such methods can make it difficult to evaluate cyber risks during business strategy setting and financial planning.
To support oversight under new rules, a shift in perspective is needed that directly improves the comprehension and understanding of cyber risk by those responsible for oversight.
To be successful, effective Boards and Management Teams should extend their approach to oversight of other business risks to the oversight of cyber risk – by understanding key drivers of risk and their operational and financial impacts. Cyber risk is a business risk and today’s methods need to evolve to support effective oversight of cyber risk as a business risk.
Technical indicators are certainly important to understand effectiveness of controls and defenses, but the review of technical indicators should be supplemented with specific operational and financial risk impacts. A coherent cyber risk narrative that paints the complete picture of the risk spread across the Firm and its Third Parties can provide the insights for increasing understanding. Armed with these insights, Board and Management Team members can adequately prepare for oversight activities.
While Boards can certainly increase the level of technical expertise on the Board by having technically strong Directors, risk oversight remains the collective responsibility of the full Board. Increased comprehension of cyber risk factors and impacts with practical, relevant and evidence-based narratives can build the context necessary for effective oversight.
Done effectively, the artifacts of this narrative-based process can be used as the starting point for providing evidence of oversight. Effective oversight can also provide commercial advantages as insights from the oversight process can be used to build confidence and trust with prospects and clients.
For IT Security leaders, this is a huge opportunity to distinguish themselves from peers and demonstrate stewardship in protecting Firm value, by positioning themselves as enablers of effective oversight. IT Security leaders can raise the bar and collaborate with other teams within the Firm to build coherent cyber risk narratives.
For Management Teams and Board Members this is an impetus for applying their business judgement to the management of cyber risk and playing a more direct and attributable role in improving Firm resilience.
Boards, Management Teams and IT Security Leaders who regularly evaluate cyber risk exposures, assess effectiveness of controls and make the investments necessary to improve cyber resilience can earn the trust of their investors and clients and further differentiate their Firms from the competition, while enabling regulatory compliance when such rules are implemented.