Cyber-Risk Disclosure Drum Beats Louder

A group of cybersecurity practitioners are calling on public companies to disclose the risks they face from cyber threats, including supply-chain security risks like the recent SolarWinds breach. A group of cybersecurity practitioners are calling on public companies to disclose the risks they face from cyber threats, including supply-chain security risks like the recent SolarWinds breach. The U.S. Securities and Exchange Commission has, in recent years, required companies to disclose some information about how they identity and manage cyber risk — but they aren’t legally required to say how much money they spend on cybersecurity or even disclose an attack unless hackers steal sensitive data. Additionally, the SEC disclosures can be as vague as “cyberattacks could have a disruptive effect on business,” which isn’t very helpful to investors trying to assess a company’s cyber risk. A new report, co-authored by SecurityScorecard, National Association of Corporate Directors, Cyber Threat Alliance, Diligent, and IHS Markit, says companies should be more transparent. In the wake of SolarWinds and increased supply chain scrutiny, companies should detail to investors their specific risks including operational disruption, intellectual property theft, loss of sensitive client data, and fraud caused by business email compromises, it says. “Companies can do more when it comes to the cyber for disclosing cyber risk,” said Sachin Bansal, general counsel at SecurityScorecard. “You heard that last week at the hearings, and Microsoft made a comment about having more transparency and disclosure from private companies.” Bansal’s referring to last week’s U.S. Senate hearings investigating the SolarWinds attack. Microsoft President Brad Smith told the Senate Intelligence Committee that the scope of the breach remains unknown because companies aren’t legally required to disclose attacks. He also called for greater transparency to improve cybersecurity. “Look at the SolarWinds breach,” Bansal continued. “That was something FireEye disclosed and decided to voluntarily share. They took a huge risk by publishing an open kimono on the attack and what happened to them, and it caused other companies to come forward.” SecurityScorecard is a cybersecurity ratings company that has assigned ratings to more than 1.6 million organizations globally. Forrester Research recently named it a “leader” in its New Wave: Cybersecurity Risk Rating Platforms report for Q1 2021. The ratings firm wants public companies to do a better job at assessing and managing their cyber risks from third-party vendors. “Vendor due diligence is broken,” Bansal said. “Companies have a smorgasbord of vendors that hold the most sensitive data, but many companies have been flying blind on cyber vendor due diligence, and that has to change.” Companies should use automated preventative controls and technology that assess third-party risk on a continuous basis, he added. “Security ratings is one such example of both of those, but it isn’t a silver bullet.” “The current regime of penetration tests and risk assessments are good hygienic measures, but they aren’t enough,” Bansal said. “If that system was working, we wouldn’t be seeing that vendors are the leading cause a breach for at least the last two years. Companies have thousands of vendors and no visibility on which vendors are falling behind and who presents a risk to them because the current control measures are not automated, and they’re not done on a continuous basis.” There are some indications that companies are moving toward improved cybersecurity disclosure coming from boardrooms and the federal government. The Cyberspace Solarium Commission, which Congress established in 2019 to defend the U.S. against major cyberattacks, last year recommended, among other things, amending the Sarbanes-Oxley Act of 2002 to clarify cybersecurity reporting requirements for public companies. This would include mandating that they maintain records of cybersecurity risk assessments. And in January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended security ratings as “a starting point for companies’ cybersecurity capabilities and [a tool to] help elevate cyber risk to board decision making.” “Cybersecurity is now very much a recurring agenda item for boards in the United States,” said Friso van der Oord, director of research at the National Association of Corporate Directors (NACD). “In one of NACD’s recent surveys, 70% of board directors reported viewing cybersecurity as ‘a strategic enterprise risk,’ while almost 40% of directors see shifting cybersecurity threats as one of the top five trends that will have the greatest effect on their company in 2021.” The NACD expects that boards will take a more proactive approach to security oversight by requiring tools like quantification approaches that measure cyber risk management and spending, he added. The organization, which co-authored the report, wants to see it create more momentum among public companies to improve the quality of their cyber-risk disclosure. “In particular, disclosures should communicate how companies are managing cyber risks to a controllable level, where management sees material risk exposure, potentially imperiling major operations, strategic initiatives, and ultimately (long-term) financial performance, and what the most significant cyber threats are to the company and industry,” he wrote in response to questions. “Also, it would be helpful to report how the board of directors (as the representative of shareholders) develops a level of assurance that cyber risks are well-managed, for example by disclosing how frequent the board receives reports on cyber risks and their mitigation, and the access to independent cybersecurity expertise they have,” he said. “We believe that shareholders, and frankly, all stakeholders, deserve more transparency into how companies are managing this persistent, very strategic risk, regardless of the industry in which they operate.”