The U.S. Securities and Exchange Commission (SEC) recently signaled its intent to get much tougher on companies when it comes to their management of cyber risk and inadequate disclosure of cybersecurity vulnerabilities. This summer, the SEC issued $1.5 million in fines against two companies – one for allegedly misleading investors about the details of a data breach and another for lack of disclosure controls following the discovery of a vulnerability that exposed 800 million files containing personal and financial information.
“These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches,” Stephen Riddick, General Counsel at Tenable, writes this month in the Harvard Business Review. The settlements, he argues, signal “a more forceful and direct approach from the SEC when it comes to how organizations communicate their cybersecurity risk posture and management – and companies should take notice.”
Companies should indeed take notice because settlements are one piece of the financial impact of cyber risk. Many companies don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue, insurance costs, and brand equity. It’s difficult to prioritize vulnerabilities without understanding the amount of risk they bring to the business. Organizations have many unpatched vulnerabilities and the reason for this is because there are thousands of Common Vulnerabilities and Exposures (CVEs) that require patching and that volume exceeds the capacity of most security teams; and with little to no insight into what CVEs post the biggest risk to your particular business, security teams have no way to prioritize their patching efforts.
ThreatConnect’s automated cyber risk quantification solution puts a financial value on risk and makes control recommendations based on its financial risk reduction. It computes the financial risk to an organization’s business and calculates how much risk a vulnerability contributes. It provides short-term recommendations to companies so they can prioritize their patching efforts and show how much financial risk is being reduced. This allows those companies to quickly determine which vulnerabilities pose the greatest financial risk to their organization and to prioritize in real-time to account for changes in the capabilities of threat actors, business operations, or the IT landscape.
Riddick offers crucial guidance on the steps an organization and its leaders can take to avoid fines and judgments. One more I would add is an operational paradigm change to measure and communicate risk based on its financial impact on the business and its stakeholders. Attacks have material financial consequences, so organizations should start identifying their greatest financial risk scenarios to focus on enhancing controls that buy down the most risk.