Cybersecurity risk management is slowly being recognised as a significant issue by many governments that are turning to legislation and regulatory enforcement regimes to enforce cybersecurity compliance. Recent cyberattacks including those on SolarWinds, JBS Meat, Kaseya, Colonial Pipeline and Toyota have demonstrated the impact of cyber on supply chains; the average cost of a cyber-attack increased in 2021 to US$4.24 million, from US$3.86 million in 2020; 2021 saw the rise of ransomware as the predominant cyber threat confronting businesses of all sizes; cyber-insurance costs are increasing, coverage is falling and insurers are adding policy exclusions or cancelling policies altogether if they cover the Ukraine Russia conflict; and the recent cyberattacks on Electronic Arts, Microsoft, Samsung, Ubisoft, Nvidia and Okta by the Lapsus$ group demonstrated that script kiddies can successfully disrupt major brands.
Cyber-related incidents were once extremely rare events. However in risk language, the likelihood of a cyber-attack for many companies has moved much closer to ‘1’, than ‘0’ (probability of 1, it will happen). Losses from cyberattacks could once be considered extreme loss events, with minimal financial loss using Distributed Denial of Service (DDoS) attacks. In 2021 cyberattacks were significantly more complex, frequent and the predominant cyber threat was from ransomware, capable of inflicting direct corporate financial losses of US$10s of millions. Costs that include ransomware payments, remediation costs, lost current and future sales, cybersecurity implementation costs and increasingly legal costs that include class action lawsuits for data breaches. For public companies, lawsuits addressing the impact on shareholder value through brand, reputation and share price are increasing. For Critical National Infrastructure (CNI) providers cyberattacks create broader risks for society. For example a cyber-attack on a power generator can have a catastrophic impact on other CNI providers such as water, financial services, health, transportation, pharmaceuticals, defence and food production.
It has long been thought that the public and private sector can address cybersecurity risk through market forces. Allowing the boardroom to manage cybersecurity risk, as they manage any other critical enterprise-wide risk. But the significant supply chain hacks of 2020 and 2021 demonstrated to many that market forces alone are not working, highlighting that the public and private sector have not focused enough effort on cyber-supply chain risk management (C-SCRM). In the US this resulted in the signing of Executive Order 14017 ‘America’s Supply Chains – February 2021’ and Executive Order 14028 ‘Improving the Nation’s Cybersecurity – May 2021’. Setting the direction of travel for US cybersecurity and cyber-risk management legislation and regulatory enforcement for 2022 and beyond.
The SEC response
In what is a response to the increase in cyberattacks and the risk of cybersecurity incidents on the US economy and market registrants, the Securities and Exchange Commission (SEC) proposed amendments to its rules on 9 March 2022. Formalising disclosure of cybersecurity risk management, strategy, governance and incident reporting by boards of US public registrants. The proposal, if implemented, will require registrants to formally disclose;
This is a significant update by the SEC on cybersecurity, risk management and governance. It will have a major impact on registrants who require access to capital on US markets. Why?
Impact of the proposal
If the proposal moves ahead which is highly likely, boards of market registrants should carefully consider its impact. It will provide timely and relevant disclosure to investors and other market participants such as financial analysts, investment advisors and portfolio managers. Enabling them to assess the implications of cybersecurity maturity, risk management, board oversight and assurance and the possible effects of a material cybersecurity incident on short and long term financial and operational performance. These are likely to have a direct impact on credit ratings (cost of capital), cyber insurance premiums and share price.
The proposal will provide market data that could increase legal and compliance risk. In October 2021 the US Department of Justice (DoJ) announced its Civil Cyber Fraud Initiative. Making it clear that organisations that supply Federal Agencies could be fined under the False Claims Act (FCA) if they fail to meet expected cybersecurity standards under contract. The first round of disclosure will generate market conversations and could result in investigations from the DoJ or the SEC. For example, defence contractors that have reported high NIST compliance scores required under US DoD DFARS regulations, or the first CMMC assessments carried out to complete DoD contracts may find themselves managing variances in SEC reporting.
Cybersecurity risk management disclosures may also be useful for civil litigation. Companies that are unfortunate enough to suffer a cybersecurity incident may find that their cybersecurity risk management, strategy and governance disclosures are used to challenge their cybersecurity maturity, reported to the SEC over a number of years.
For those that have not read the proposal I would strongly recommend that you do so. While it may not end up looking exactly the same when it is finalised, it is highly likely to be implemented and for the defence industry create additional regulatory and compliance burden and legal risk.
By Andy Watkin-Child, Founding Partner of The Augusta Group