Everyone is Scrutinizing Your Cybersecurity. Will They Be Reassured or Scared Off?
By AJ Sarkar, Founder and CEO of RiskOpsAI™
Here’s a prediction: Within five years, the U.S. Securities and Exchange Committee (SEC) will require companies to disclose the quantifiable impact of their cybersecurity risk.
By ‘quantifiable impact,’ I mean a data-driven estimate of the potential financial cost of a cyber failure, its remediation, and ongoing losses. I don’t mean a letter grade from a cybersecurity ratings agency, heavily based on industry norms.
Two developments are driving this. 1) The availability of next-gen risk modeling that surpasses traditional risk-scoring methodology to quantify threats based on a company’s unique operational conditions and data. 2) A growing demand for enterprise risk disclosure that goes beyond cyber and beyond the SEC.
And there’s a third factor — it’s good business. Better risk modeling creates valuable intel that helps companies understand the magnitude of its risks, compare the severity of one challenge to another, set priorities, and create informed remediation plans.
And a company with a demonstrable command of its enterprise risks can create business opportunities and a competitive advantage.
Demonstrating Preparedness & Resilience
Government authorities, investors, customers, and potential business partners are evaluating companies’ cybersecurity posture with growing intensity. Their conclusions about an enterprise’s ability to mitigate threats and safeguard customer data influences decisions about whether and how to engage with that company.
In this environment, corporate cyber disclosures must elicit confidence and dispel fear so the company can maintain trust, seize business opportunities, and deliver value. Companies need to demonstrate cyber resilience and preparedness grounded in facts — but too many deliver a piecemeal narrative based on guesswork.
Most enterprises lack a holistic view of their unique enterprise risk landscape — a view built upon the company’s own operational data, risk tolerance, and business objectives across all risk factors. As a result, they can’t quantify and compare the financial impact of threats, let alone understand the impacts to other areas of the business. This impedes good decision making and sound risk management strategies.
Instead, risk analysis is typically isolated within functional silos, data is collected and assessed manually in spreadsheets, reporting to executive teams is intermittent, and threat responses are reactive.
Thankfully, that’s changing. A new, powerful methodology — Integrated, Digital Risk Modeling or IDRM — gives companies a timely, holistic, contextual view of their unique risk profile so they can stay ahead of today’s threats and challenges. And that’s reassuring to investors, customers, regulators and other stakeholders.
Cybersecurity Scrutiny Intensifies
Stakeholders assess cybersecurity disclosures reported in companies’ proxy statements, board committee charters, and 10-Ks required by the SEC, explains Jerry Perullo, Chief Information Security Officer (CISO) of Intercontinental Exchange, Inc.
“Public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers — not to mention prospective customers,” he writes. “Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their attention to cybersecurity.”
So, companies that can effectively capture, analyze, quantify, and report cyber enterprise risk data can create a competitive advantage and improve financial performance — for a growing number of reasons:
- By 2025, 60% of enterprises will use cybersecurity risk as a primary factor when assessing third-party transactions and business deals.
- Cybersecurity scrutiny is a critical component of M&A due diligence — where it can have a big impact on valuations.
- Clients and supply chain partners want greater focus on manufacturers’ cybersecurity postures.
- “Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities,” Akin Gump notes.
- Data privacy is a growing concern for consumers.
- Cyber insurers have limited their coverage, increased their rates, and changed their underwriting standards due to the growing threat of cyberattacks.
- Financial audits also are increasingly focused on the potential for cyber threats to impact business performance, CPO Magazine reported. “Board members, senior leaders, and audit teams will need to start integrating cybersecurity into how they view compliance for Sarbanes-Oxley (SOX) and privacy-related mandates like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA),”
A New Era in Enterprise Risk – Advanced technology has opened the door for a game-changing risk modeling methodology — Integrated, Digital Risk Modeling — which is enabling enterprises to improve their enterprise risk management and benefit from heightened cyber scrutiny. It provides the following benefits:
Instantly Actionable, Organization-specific Insights – At IDRM’s core is its approach to modeling. Inside-out modeling utilizes an enterprise’s unique operational data to continuously monitor risk exposure and generates instantly actionable, organization-specific insights for the organization. This is very different than the traditional model that only looks at an organization’s industry and size (i.e., outside-in.)
Quantifies Financial Impact of Risks – Companies can calculate the annual loss expectancy of specific risks in order to understand real-time financial exposure through IDRM. With this intel they can see threats and vulnerabilities in a financial context, weigh and compare their potential impact, and inform priority setting and resource allocation.
Benchmark Performance Against Peers and Competitors That Matter – Enterprises have always used benchmarks to compare their risk exposure to industry peers. IDRM, however, delivers a game-changing ability to drive deeper into comparisons after data is normalized to take account of industry type, company size, risk appetite, data assets, and other factors.
A Holistic Enterprise-wide Approach – The first word in IDRM is “integrated.” It offers the ability to automate any risk framework or enterprise use case and integrate enterprise-wide risk modeling, eliminating management siloes and disparate reporting to enhance executive and board level decision making.
Intuitive Visual Dashboards Serve Executive, Management, and Operational Levels – IDRM provides a single optic into the enterprise. Visual analytics present comprehensive, enterprise-wide reports in clear, unbiased formats that lead to more consistent, confident decision-making and risk mitigation at each management level.
Enables Risk Scenario Planning – Artificial intelligence (AI) and machine learning (ML) drive IDRM to deliver a reliable, predictive process that enables enterprises to assess best- and worst-case scenarios, compare threats, and determine where to invest in risk mitigation. The platform continues to learn as it’s exposed to more enterprise data, which refines outputs and insights.
Meanwhile, the SEC is ramping up its examination of company’s cybersecurity procedures and its enforcement actions. I’m betting that more stringent disclosure requirements are not far off.