Companies that fall victim to cybersecurity attacks can incur substantial costs and public companies are not immune to it. In today’s world, public companies rely on digital technology to do business with their customers and partners. These digital technologies and networked systems present unique cyber risks and without the proper protection, companies can be the target of the next cyber threat.
On February 21, 2018, the Securities and Exchange Commission (SEC) issued a guidance statement on Public Company Cybersecurity Disclosures. The “Guidance” serves to warn public companies that there is a need to enhance cybersecurity risk assessment and reporting programs.
The most impactful information contained in the guidance statement revolves around the need to report on the costs associated with a reporting material cybersecurity risk and breach cost on a periodic basis.
Traditional risk management strategies have not included a mechanism for assigning a value to risk. NIST and COBIT, ISO, etc., can assist in rating risk to the organization and help prioritize response, but there is no inclusion of monetary impact in those frameworks. Luckily, there are processes that can augment existing frameworks and allow companies to assign a monetary value to risks, as well as the efforts associated with cybersecurity risk management and response.
When determining what areas should be evaluated for fiscal impact, the guidance statement suggests public companies contemplate the following issues, among others, in evaluating cybersecurity risk factors and what information should be included in the disclosure:
Risks identified through your cybersecurity program (and the management of those risks) represent real, equivalent business risks with material impact. If you need assistance in defining your cybersecurity risks in financial terms, please contact us at firstname.lastname@example.org or visit one of our Postlethwaite & Netterville (P&N) locations.
To access the full guidance statement: click here.