SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule
The SEC’s final rule is aimed at helping investors make informed investment decisions by providing them with information about public companies’ cybersecurity risk management. As security grows in importance to corporate governance, investors can use a company’s security maturity as a market differentiator. The final rule adopts new disclosure requirements in three main areas:
1. Cybersecurity Incidents
The SEC rule requires the disclosure of material cybersecurity incidents within four business days after the company determines a cybersecurity incident is material. The disclosure must include certain relevant aspects of the incident and must be filed, whether or not the incident is contained. Unfortunately, public disclosure of an unmitigated incident — even the general description — could still be sufficient for some savvy attackers to exploit and cause further harm.
2. Risk Management
The new rule also requires that public companies annually report on cybersecurity risk management and strategy. Companies must discuss elements including:
- Existence of a cybersecurity risk assessment program;
- Engagements with third parties in connection with such a program;
- If a company has processes to oversee and mitigate material third-party service provider cybersecurity risk; and
- The potential for cybersecurity risks to impact company operations or its financial condition
3. Board Oversight
Finally, public companies will now annually need to describe the board’s oversight of risks from cybersecurity threats, and describe the processes by which the board or a board committee is informed about such risks. Additionally, the disclosure must describe management’s role in assessing and managing the company’s material risks from cybersecurity threats.
The Increasing Costs of Cybersecurity Incidents
According to a report by IBM, the average cost of a data breach in the U.S. is $4.45 million. During a cybersecurity incident, often systems cannot process data or provide services to customers, resulting in business losses until the organization can repair them. Time is also an important factor — the general best practice is to keep ongoing cyber incidents quiet until they are contained and the attack vector is closed off, and it becomes more difficult to keep an incident quiet the longer the remediation takes.
The actual cost extends beyond the immediate business disruption and technical remediation burden. Additional factors that elevate costs include legal penalties, lower productivity, and reputational damage. Organizations may lose customers and investors after a cybersecurity incident, and regulatory bodies may require them to pay hefty fines. Across industries, the largest single factor contributing to the cost of a cybersecurity incident is the lost revenue resulting from lower customer retention and recruitment rates, and it takes most organizations some time to restore their reputation after an incident.
Prevention Is Cost-effective and Reputation-protecting
In cybersecurity, as in so much of life, prevention is better than cure. The SEC’s incident disclosure rule moves the cost-benefit calculation even more firmly on the side of prevention, which has the benefit of being less directly costly than an incident and helping avoid hard-to-measure impact on an organization’s reputation. Most cybersecurity incidents are the result of a malicious actor leveraging a known vulnerability in order to compromise a company's systems and data. Identifying and mitigating vulnerabilities is a very cost-effective approach to preventing many potential cybersecurity incidents.
For example, the average bounty paid for a valid vulnerability on the HackerOne platform is about $1,000 (which obviously encompasses a wide range depending on severity and impact). A vulnerability found and reported by an ethical hacker is one that can be fixed before it is exploited by an adversary. Compared to the average cost of a cybersecurity incident, even adding in the small overhead cost of operating a bug bounty program, the value is clear.
There are many ways in which HackerOne can help you prevent vulnerabilities from becoming incident disclosures:
- HackerOne Bounty: Continuous adversarial testing with the world’s largest hacker community will identify vulnerabilities of any kind in your attack surface. If you already run a bug bounty program with us, contact your Customer Success Manager (CSM) to see if running a campaign can help deliver more secure products.
- HackerOne Challenge: Conduct scoped and time-bound adversarial testing with a curated group of expert hackers. A challenge is ideal for testing a pre-release product or feature.
- HackerOne Security Advisory Services: Work with our Security Advisory team to understand how your threat model will evolve by bringing new assets into your attack surface, and ensure your HackerOne programs are firing on all cylinders to catch these flaws.
Proactive Cybersecurity Measures Help Demonstrate Robust Risk Management
The implementation of the SEC’s public disclosure requirements should incentivize companies to invest in proactive measures to identify and remediate security vulnerabilities, such as bug bounties programs. In combination with comprehensive security safeguards, bug bounties can prevent cyber incidents and help demonstrate security maturity to investors. As investors become more focused on cyber risks, the companies that prioritize safeguarding their digital assets and sensitive data will stand out.
To learn more about cybersecurity risk management and compliance, contact the experts at HackerOne.