March 31, 2022
Cyber Risk

SEC Cyber Risk Proposal:
A Call for Cyber Risk Quantification?

The US Securities and Exchange Commission (SEC) has made landmark proposals to amend existing rules around cyber risk, designed to enhance cybersecurity preparedness and resilience against attack. It reinforces a firm commitment to improving investor confidence, and cybersecurity assurance as per its Environment, Social, and Governance (ESG) agenda. The latest comes just 1 week after US Congress passed its Strengthening American Cybersecurity legislation into law mandating better monitoring and management of federal cybersecurity risk, and strict reporting procedures for adherence in the event of an incident.

This snapshot will provide you with a summary of the proposed changes to public companies: why it was instigated, what it contains, what it means for public companies, and the future of cyber risk management.

The Backdrop: Cyber Risk Management within Publicly Traded Companies

"We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis." Gary Gensler, SEC Chair, March 9th, 2022.

Capital market dependence on public companies to protect and proactively secure their data and assets has never been greater. The complexity and volume of information and technologies, coupled with the significant threat profile and valuable assets these companies possess, make them a key target for threat actors. According to a NASDAQ report, 14 market days after a breach becomes public, the average share price bottoms out and underperforms the NASDAQ by -3.5%. Investors display a high appetite for as much information as possible on a company’s cyber risk posture, due to the potential financial, legal, operational, and reputational impact of a breach.

The SEC’s proposal aims to strengthen the ability of investors to evaluate public companies’ cybersecurity practices and incident reporting. The measures intend to increase and promote transparency:

  1. To better equip investors with information regarding a company’s risk management strategy and governance
  2. Mandate the timely notification of cybersecurity attacks
  3. And for this information to be provided in a ‘consistent, comparable, and decision-useful manner’.

What changes are being proposed by the SEC?

The changes can be split into two distinct categories:

Cybersecurity risk management, strategy, and governanceThe proposal calls for mandatory, ongoing disclosures on companies’ governance and risk management related to cybersecurity risk, thereby equipping investors with standardized information to help assess the risk posture of companies.
  1. Management’s and the board’s role and oversight of cybersecurity risks;
  2. Whether companies have cybersecurity policies and procedures;
  3. And, how cybersecurity risks and incidents are likely to impact the company’s financials.
Cybersecurity incidents and disclosureThe proposal calls for mandatory accurate, timely reporting of ‘material’ cybersecurity incidents.
  1. There is a substantial likelihood that a shareholder would consider it important in making an investment decision, or if it would seriously alter the total mix of information made available.
  2. The public company must disclose the incident within four days of a determination that an incident has taken place.
  3. Incident response and forensic investigation would not be deemed a reasonable basis for delaying or avoiding disclosure. However, the company would not be required to publicly disclose details of vulnerabilities or its incident response so as to avoid further exposure.

What this means for cybersecurity risk management

The bottom line for cybersecurity risk management is that the buck will always stop with the board.

Harvard Law School puts it succinctly: “Companies should be thinking about their cybersecurity disclosures to not only reduce litigation risk but to reduce the real levels of business-related cyber risk facing their companies.”

Some commentators will see a successful vote on the proposal as the SEC foraying beyond disclosure regulation and using its position to directly mandate cyber risk quantification through regulation.

How to enable the board with cyber risk quantification

The board of an organization is duty-bound to protect shareholder investment. It cannot serve stakeholders with technical insights expecting them to decode and contextualize cyber risk. Instead, it needs a translation of cybersecurity risk into the language of business: dollars and cents.

By converting the message into financial terms – the value of a potential breach – business executives are able to gain a better contextual understanding of risk posture and its impact on the business. In turn, it improves collaboration between the board and security management due to their shared and common understanding of current posture, risk exposure, and what needs to be prioritized and mitigated to reduce that exposure – the value of the potential breach on the business.

Safe Security goes one step further with the SAFE Score - a real-time metric that represents the likelihood of a breach occurring given an organization’s current cyber risk posture. Its data-science-enabled recommendation engine prioritizes cyber risk management strategies and enables a transparent decision-making process. SAFE also simulates the change in financial impact if risks are mitigated or transferred via cyber insurance.

Visibility from security through to governance and investors

Guesswork is the enemy of successful risk management. CISOs strive to gain a reliable, consistent, and accurate measurement of their risk posture. However, it is easier said than done. They may have an arsenal of tools at their disposal, but rarely are they able to pool all of that information to give a contextualized map of cyber risk. Cyber Risk Quantification within SAFE removes this barrier to visibility through API-based integrations that pull your data into a central dashboard to perform as a single source of truth.

For Security and Risk Management leaders:

  1. Visibility is crucial if companies are to successfully achieve detailed disclosure within the four-day window proposed by the SEC. In the event of an incident, all eyes are on the board but the magnifying glass is on the CISO.
  2. With Cyber Risk Quantification, CISOs can be assured that they have been able to prioritize, assess, and mitigate risk with all of the information available to them, and have transparently communicated the same to relevant stakeholders.
  3. Importantly, they’re able to prove that they’ve done everything reasonably possible to reduce the likelihood of a damaging outcome in the event of a breach.

For security architects and engineers:

  1. If we think about the practicalities of risk remediation, there’s often a feedback delay. How does an engineer know that a new control or mitigation has been successful? Should they wait for the vulnerability not to take place? Beyond testing before deployment, it’s not very scientific.
  2. Cyber Risk Quantification removes that uncertainty. The SAFE score within our platform will simulate the actual knock-on effect of that mitigation on your score which is also reflected in your likelihood of a breach, and financial representation of a possible breach.
  3. Pooling information from each platform across their complex stack can be complicated. Safe understands this, and through MIT-backed algorithms, is able to quantify, prioritize, and present risk according to the severity and likelihood of it being utilized by threat actors. The SAFE platform helps measure, manage, and mitigate risk across the five main vectors of attack – people, processes, technology, cybersecurity products, and third parties – ensuring visibility and coverage across the organization.

What’s next?

Public companies will need to look for solutions that will enable them to fulfill SEC requirements. For commentators and experts across the cybersecurity industry, the measures that the SEC is calling for requires Cyber Risk Quantification, as provided by our dedicated team of experts here at Safe. The continuous assessment that it would mandate can only be achieved using a real-time, always-on platform that can pool all data, regardless of source, and present a visualization of risk posture accurately. This cannot be achieved using any other means.

The proposal has been published on and the Federal Register soliciting comments. However, the industry awaits further announcements from the SEC as its chair, Gary Gensler, has revealed his request to his staff to make additional recommendations for consideration relating to broker deals, systems compliance integrity, and intermediaries regarding customer notices which we expect in the coming months.