The SEC’s much-heralded cybersecurity disclosure requirements fill a well-known reporting void. Yet, illusionary satisfaction with compliance minimums may dangerously further fuel already widespread digital defense overconfidence.
Predictably, many companies will respond to the new cyber regulations by shuffling board members, debuting glossy job titles, forming cleverly-named subcommittees, adapting audit firm disclosure guidance and trumpeting cyber defense outlays.
Such corporate stagecraft is wholly inadequate if disconnected from measuring cyber threats’ real strategic, reputational, operational and financial risks.
That’s far harder work which starts with more sophisticated cybersecurity monitoring, predictive analytics and decision tools.
Danger lurks
History shows that new regulations initially fortify oversight, but soon seem overmatched by escalated complexity. Look how boilerplate financial reporting falters as new business models, contract structures and transaction types emerge.
That’s child’s play compared to cybersecurity — especially when leaders prioritize stylized corporate messaging over meaningful action and sufficient funding.
Chris Hetner, former senior cybersecurity advisor to SEC Chairs Mary Jo White and Jay Clayton and currently Nasdaq Center for Board Excellence Insights Council member and senior cyber risk advisor to the National Association of Corporate Directors, agrees and advocates mirroring risk transfer market methodologies.
Hetner urges boards to re-center cybersecurity discussions on “the financial and business impact associated with each digital risk type. That immediately connects continuous cyber risk assessment to strategy and balance sheet stress.”
That approach is uncommon. “The default tendency of CIOs and CISOs is to rely on periodic tactical and technical reports to justify tech solutions that may suppress risk,” Hetner highlighted. “That too often gets ‘lost in translation’ when engaging board members and the wider c-suite — leaving leadership unsure of precisely what they are funding and where residual gaps remain.”
Alternatively, he added, by starting with “those (cyber risk) scenarios that are most material to the business, the board can focus on specific categories of losses that are ideally aligned with the risk transfer market such as intellectual property theft, business interruption, ransomware, loss of customer data or misappropriation of funds. Running this scenario analysis as part of an ongoing assessment shows how cybersecurity pairs with potential loss contingencies.” That gets CFOs’ attention.
Hetner emphasized, “When a leadership team possesses an aggregate view of risk tied to financial exposure, they can then best decide how much risk to accept, transfer or deploy capital to manage.” That holistic view elevates cybersecurity from a technical, regulatory afterthought to the business strategy forefront.
Next level sentinel
As digital threats soar, here are two novel ways CIOs can help boards respond.
First, CIOs need to deepen board understanding of risk prevention and breach remediation cost drivers. Contemporary frameworks and meaningful benchmarks can be extremely helpful in highlighting the skyrocketing costs of cyber exposure.
For example, IBM’s 2021 Data Breach report details four cost centers that spur cyber incident expenditures: (1) detection and escalation; (2) lost business; (3) notification of affected parties and (4) post-breach remediation.
In a review of 537 recent incidents across 17 industries, IBM reported that the average data breaches cost $4.2 million and took nearly 300 days to contain. Ransomware and data destruction attacks required similar average time and resources — with many costing far, far more.
Intriguingly, IBM found that organizations with fully deployed security AI and automation averaged incidents less frequently and at 80% lower cost than peers without such protection. Such industry data help tech leaders and boards benchmark and assess their cybersecurity preparedness and modernize defense infrastructure.
Second, tech leaders must identify cyber monitoring tools that connect exposure to loss categories, perform real-time, what-if analyses and escalate defenses. For instance, X-Analytics, a patented and validated cyber risk decisioning platform developed by Secure Systems Innovation Corporation (SSIC), offers software that ties cyber risk probability, severity and control effectiveness to financial loss probabilities.
Such simulations need to address board cyber risk questions through a business lens.
Hetner explained, “Leaders must extrapolate what-if scenarios — what are the business and monetary consequences of ransomware attacks, stolen records or misappropriation of funds? Most of this analytic capability is used in cyber insurance. It’s time for the CIO and CISO community to leverage these capabilities in routine reports to boards, CFOs and audit committees.” That’s quite rare and much needed.
Hetner added that vulnerabilities can vary greatly across industries and companies, noting, “Healthcare looks different than banking, retail and manufacturing — and loss ratios will differ based on company infrastructure and breach severity. Aggregating estimated exposure against potential revenue and asset misappropriation is a more constructive cybersecurity dialogue with CFOs who expect financial risk reduction.”
While these two initiatives undoubtedly require significant time, expertise, funding and workplace collaboration, inaction is far costlier and consequential.
Action not words
Settling for regulatory compliance in the face of relentless cyber threats is an abdication of fiduciary responsibilities and leadership obligations. Companies that are serious about cyber readiness will respond with the next-generation defenses and financial analytics that the lucrative, but dangerous, digital era demands.
Who’s willing to close the cyber rhetoric-reality gap — or at least acknowledge it?
