Communicating Cyber Risk to Investors: A Draft Form 10K Submission Inline with the Proposed SEC Rules

Recent cyber attacks have resulted in serious impact to the profitability, reputation, and stock prices of companies. There is a heightened spotlight on decisions and actions of senior corporate leaders as it pertains to cyber risk management.

In response, the United States Security Exchange Commission (SEC) has proposed ways to enhance and standardize how public companies disclose their approach to governance of cybersecurity risk management and attest to the level of cybersecurity expertise of their board. The proposed rules mean that public companies will need to formalize how they report on cybersecurity risk to their board of directors, regulators and investors.

In terms of communicating cyber risk to investors, companies will likely do this as part of their Form 10K submission. I thought it might be interesting to imagine how a 10K submission might look for two key categories required by the SEC, Cybersecurity Risk and Governance, as below:

Cybersecurity Risk

Preamble:

To meet business objectives, the Company relies on both internal information technology (IT) systems and networks, and those of third parties and their vendors, to process and store sensitive data, including confidential research, business plans, financial information, intellectual property, and personal data that may be subject to legal protection, and ensure the continuity of the Company’s supply chain.

The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;

The risk associated with cyber threats is highly dynamic. On one side, new threats are identified, new vulnerabilities detected, and new attack paths developed. On the other hand, companies work tirelessly to remediate vulnerabilities, patch systems, update agents, and respond to new threats. This is why the Company has invested in a cybersecurity risk assessment tool which continuously updates our current cyber risk exposure in line with the changing threats and our ongoing response to them.

The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;

The Company works with a third-party Cyber Risk Quantification partner who’s systems automatically ingest information regarding the current state of the Company’s information technology environment and using specialized algorithms provide an assessment of the company’s Cybersecurity Risk Exposure as well as providing targeted remediation advice to bring the Company’s risk exposure to an acceptable level. In this way, the Company is able to respond rapidly to the changing cybersecurity threat landscape.

The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;

Ideally the Company’s third-party suppliers will be using either the same or similar Cyber Risk Quantification Tool such that suppliers’ Cyber Risk exposure can be well understood and integrated into the Company’s Cyber Risk exposure calculations. However, this is not always possible. Therefore, working with the Company’s Cyber Risk Quantification partner we require our third parties to provide specific information on a regular basis to inform the Company’s understanding of its supply chain cyber-risk exposure. Failure to agree to provide such information is a factor when selecting partners.

The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;

The Company’s Cyber Risk Quantification partner provides actionable information to ensure the Company’s information technology estate is continuously updated to minimize cybersecurity threats. In addition, the Company utilizes a number of tools to enable the detection of potential breaches and a 24/7 security operations center which is able to respond immediately minimizing the effects of potential incidents.

The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;

The Company has comprehensive contingency and recovery plans in place to ensure the ongoing provision of services to its clients in the event of a major cybersecurity incident. These are tested on a regular basis against severe but plausible scenarios.

Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;

Utilizing the dynamic cyber risk exposure capabilities of our Cyber Risk Quantification partner, the Company is able to understand very quickly the extent to which it and its supply chain is potentially vulnerable to new cybersecurity threats which have been identified or have affected other companies. This enables the Company to make decisions regarding its response to the increase in cyber risk exposure. This may result in changes to Governance, policies, procedures, technologies, or indeed partners.

Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and

There have been no material cybersecurity incidents in this reporting year.

Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

The ability to protect the Company from cybersecurity risks has been at the heart of its business strategy. The Company wants to be the trusted supplier of choice for our clients. Therefore, this drives the Company’s desire to understand and react to dynamic changes in the cybersecurity landscape. Capital is allocated on an annual basis to ensure the Company’s cyber risk posture is optimal to meet its needs. The use of a dynamic cyber risk quantification tool not only enables the Company’s board to track the Company’s Cyber Risk Exposure over time, and to respond to changes in the environment, but it enables the Company to optimize its response and to demonstrate effective return on investment for its cybersecurity spend.

Governance

Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;

Given the position cybersecurity has in the Company’s strategy to be the most trusted partner for our clients and the potential costs to the business of a major cybersecurity event, Cybersecurity is a standing topic for the Board. With particular scrutiny being provided in the Board Risk Committee.

The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and

Cybersecurity Risk is a standing agenda item for the Board. Given the Company’s investment in a dynamic Cyber Risk Quantification Tool, the board reviews the Company’s current Cyber Risk Exposure and trends over the previous period. Particular attention is paid to understanding spikes in Exposure and metrics regarding how quickly the Company has been able to respond to reduce Cyber Risk Exposure to an acceptable level.

Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

The Board considers cybersecurity risks in all three domains. In alignment with our data-driven approach to business, the Board considers it an imperative to understand the Company’s Cyber Risk Exposure as close to real time as possible. Having this insight enables the Company to make business strategy decisions cognizant of Cybersecurity trends, make active and timely interventions to mitigate Cybersecurity Risk, and ensure value for money in its cyber security spend.

Next Steps

The SEC’s proposed rules are a major step in helping companies better inform their investors about the state of their cyber risk.

To get ahead of these changes, it’s important that you review these regulations and evaluate what impacts they might have on your company. Determine if you have the right solutions and procedures in place to accurately identify these cyber risks. And, take a look at operational changes you might need to make in order to meet the proposed requirements.

If you’re not already assessing and quantifying your cyber-risk. I might know some folks who can help………