4 minute read
Prioritizing Cyber Risk Ratings in the Wake of SEC Regulations and Evolving Threats
By JEFF SHARER
With increased Securities and Exchange Commission (SEC) regulations, more cyber threats, and evolving technological exposures, all organizations must prioritize understanding their cybersecurity vulnerabilities.
Constant scanning and monitoring of internal critical applications are crucial to identifying potential exploitations. They also improve business outcomes, regulatory compliance, and insurance recovery.
Several firms provide cybersecurity ratings to assess a company’s cybersecurity posture. Consistently monitoring these ratings to assure that they accurately reflect risk posture is a priority. It helps businesses avoid inaccurate risk assessments and potential negative business impacts.
Internal cyber risk scoring should conform to a globally accepted standard common vulnerability scoring system (CVSS) that is referenced by all cybersecurity authorities. This scoring is always referenced when threats become publicly known to identify the level of threat.
Organizations should adopt an internal risk appetite framework that utilizes a heat map to identify their most critical business applications and operations, which may be vulnerable in the event of a cyber attack.
These internal ratings, ranging from low to high-critical, aid in prioritizing responses and establishing an effective cyber program. Data from internal vulnerability scans is used to assess the firm’s financial and operational risk, and to rate internal exposure against publicly available CVSS-scored known threats.
These ratings and scores help assess the level of cyber risk and vulnerabilities, identify areas for improvement, and aid in developing strategies to mitigate risks. Furthermore, they enhance transparency and demonstrate the organization’s commitment to protecting sensitive information.
While some industries, like finance and healthcare, have been proactive in adopting advanced technologies to mitigate cyber risks, others have been slower to adapt. New technology can help all organizations, regardless of industry, monitor vulnerabilities while reducing costs.
How To Leverage Cyber Risk Ratings
Organizations can harness cyber risk ratings to optimize various aspects of their business.
• Insurance: Cyber risk ratings are vital for insurance decisions. They enable organizations to negotiate favorable terms and adequate coverage. Insurers consider these ratings when they determine rates, often offering organizations with good scores comprehensive coverage at lower costs. These ratings serve as valuable tools in the cyber insurance market, providing insight into exposures and facilitating a better understanding of risk transfer and insurance costs.
• Business partnerships: Future business partners evaluate risk scores to assess potential partnerships and determine company valuation for private equity deals. Companies can leverage their cyber risk rating as evidence of trustworthiness, especially when establishing third-party vendor relationships.
• Compliance: Ratings ensure regulatory compliance by measuring an organization’s cybersecurity posture, and identifying vulnerabilities and non-compliance. Monitoring cyber risk scores enables organizations to enhance security, meet regulatory standards, and mitigate legal and financial consequences.
• Litigation Defense: A high cyber risk score strengthens the defense in compliance lawsuits. It demonstrates aggressive efforts to address risks, ensure regulatory compliance, and protect sensitive information. It showcases the organization’s commitment to cybersecurity and adherence to best practices.
Complying With Regulations
Increasing regulatory scrutiny means organizations need to demonstrate effective cyber risk management. The SEC’s rulings require organizations to have robust security measures. Businesses face potential legal and regulatory liabilities if they fail to implement required protocols. Private equity firms that own companies bear the same cybersecurity disclosure responsibilities as public companies.
Like CFOs and CEOs, chief commercial officers (CCOs) carry personal liability in verifying security measures. Non-compliance can result in significant financial penalties including fines, disgorgement of gains, and injunctions. Civil lawsuits and legal enforcement may also be initiated, leading to further financial penalties and restrictions on company activities.
Technological tools aid legal professionals in ensuring compliance and reducing liability risks. The SEC proposed Rule 10 mandates financial institutions and private equity funds disclose cyber risk management practices. Advanced software enables organizations to access cyber risk ratings and demonstrate compliance with the rule.
As cyber threats continue to escalate, it is imperative that organizations and their counsel wholeheartedly embrace all tools available to help them navigate cyber risks.
Staying proactive and monitoring ratings allows organizations to promptly address any exposures that arise. By doing so, they can stay ahead of the curve and effectively protect their company and their clients in this rapidly changing digital environment.