Firstly, the proposal states that cyber risk management reports would form part of the standard SEC 8-K reporting process, in line with the company’s currently listed reporting obligations. Reports would cover the company’s cyber risk management policies and procedures, its cyber risk management and governance framework, and the Board’s expertise in this area. It is essential to report cyber incidents, updates on previous incidents, and their business implications.
As it’s usually the case with any new regulations, the text is, in many ways, the easiest part to digest. The challenge presents in mastering the detail and figuring out how best to align your risk management systems and processes with them. In some cases, this may force companies to go back to the first principles, understand and document their existing cyber security systems and procedures to ensure everything is identified and recorded, end-to-end. This approach also allows companies to identify any gaps in their business that could be exposed to regulatory scrutiny and the operational, commercial, or reputational risks these gaps create.
While gaps and issues may emerge from this analysis, that is not to say that listed companies are oblivious to cyber risk issues. No listed company – or company planning to list – will be without a cyber security policy, a range of relevant systems and processes, and likely, the appointment of a Chief Information Security Officer (CISO).
The key challenge is working on how best to capture and consolidate all this effort and activity so that the company is resilient, complies with any regulatory scrutiny, and develops as it needs to without cyber security holding back the business, rather enabling it for success.
Historically, companies have looked towards enterprise risk management (ESG) applications to address and enhance their cyber risk management capabilities. This approach can be very prescriptive, and while ideal for some businesses, it is often a challenge to implement for many others.
Many companies understand the importance of selecting the right enterprise risk management (ERM) solution, as technology can definitely be the best ally. Leveraging modern SaaS-based technologies to manage cyber risks is a dynamic approach that ultimately benefits the organization. Easier to deploy and user friendly; they can enhance your existing capabilities and processes to ensure operational resilience.