The U.S. Securities and Exchange Commission (the “SEC,” or the “Commission”) has in recent years demanded greater transparency from public companies in how they identify, measure, and manage cyber-risk. Too often, cyber-related disclosure language is boilerplate in a way that could not assist an investor in assessing a company’s cyber-risk profile or management of those risks.
In the wake of SolarWinds and the increased supply-chain security scrutiny in Washington DC, companies should be explaining to investors the specific risks they face from cybersecurity threats, including, among others, operational disruption, intellectual property theft, loss of sensitive client data, and fraud caused by business email compromises.
Companies should also be explaining the categories of both technologies and processes they employ to mitigate those risks. Failure to do so is increasingly costly and is described by former SEC commissioner Robert J. Jackson Jr. as “the most pressing issue in corporate governance today.”
In practice, businesses are slowly but unmistakably moving in the direction of increased transparency. This trend must continue for investors to begin deriving actionable value from cyber-risk disclosures. For example, certain companies are beginning to identify the specific technologies they are using in their program through their cyber-risk disclosures; others have started noting the materiality of their vendor risk exposure, to which regulators are paying particular attention in the aftermath of the 2020 SolarWinds attack.
The next logical step is for these evolutions to converge. An increasing number of tools are available to help companies evaluate their own security posture and that of their partners and vendors. For example, security ratings, as recently recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), can create objective metrics to cover, amongst others, leading cyber hygiene indicators like Domain Name System (DNS) health, web application security, network security, leaked information, endpoint security, and patching cadence.
