It’s Time to Flip the Script on How We Measure and Communicate Cyber Risk

SEC, cyber risk, cyber risk quantification, financial impact

The U.S. Securities and Exchange Commission (SEC) recently signaled its intent to get much tougher on companies when it comes to their management of cyber risk and inadequate disclosure of cybersecurity vulnerabilities.  This summer, the SEC issued $1.5 million in fines against two companies – one for allegedly misleading investors about the details of a data breach and another for lack of disclosure controls following the discovery of a vulnerability that exposed 800 million files containing personal and financial information.

“These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches,” Stephen Riddick, General Counsel at Tenable, writes this month in the Harvard Business Review. The settlements, he argues, signal “a more forceful and direct approach from the SEC when it comes to how organizations communicate their cybersecurity risk posture and management – and companies should take notice.”

Companies should indeed take notice because settlements are one piece of the financial impact of cyber risk. Many companies don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue, insurance costs, and brand equity. It’s difficult to prioritize vulnerabilities without understanding the amount of risk they bring to the business. Organizations have many unpatched vulnerabilities and the reason for this is because there are thousands of Common Vulnerabilities and Exposures (CVEs) that require patching and that volume exceeds the capacity of most security teams; and with little to no insight into what CVEs post the biggest risk to your particular business, security teams have no way to prioritize their patching efforts.

ThreatConnect’s automated cyber risk quantification solution puts a financial value on risk and makes control recommendations based on its financial risk reduction. It computes the financial risk to an organization’s business and calculates how much risk a vulnerability contributes. It provides short-term recommendations to companies so they can prioritize their patching efforts and show how much financial risk is being reduced. This allows those companies to quickly determine which vulnerabilities pose the greatest financial risk to their organization and to prioritize in real-time to account for changes in the capabilities of threat actors, business operations, or the IT landscape.

Riddick offers crucial guidance on the steps an organization and its leaders can take to avoid fines and judgments. One more I would add is an operational paradigm change to measure and communicate risk based on its financial impact on the business and its stakeholders. Attacks have material financial consequences, so organizations should start identifying their greatest financial risk scenarios to focus on enhancing controls that buy down the most risk.

David Hopland
About the Author
David Hopland

David is the Sr. Director of North American Commercial Sales at ThreatConnect. He’s been with ThreatConnect since 2015 and leads a team that specializes in working with customers to understand what matters to them, and then working to implement those solutions. David holds a B.S. in marketing management from Virginia Tech, with a double minor in psychology and international business. Cybersecurity is his passion but love of food is what fuels him.

Share

Subscribe