What the SEC and Other Regulators Are Saying About Where to Start Your CRQ Journey

There have been quite a few regulatory developments recently surrounding cybersecurity and its bedfellow, tech, or IT/ICT (Information and Communications Technology) risk. So, I thought I’d take a few lines to explore some of the salient points and what they might mean for cyber risk professionals in the coming weeks and months.

There’s quite a lot going on.  As discussed in a previous blog, the US SEC put forward proposals last year for mandatory disclosure of cyberattacks to the regulator as well as requirements for “periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk”.  This essentially requires listed companies to explain how they govern, assess, and manage cybersecurity within their annual filings. It is expected that these mandatory reporting requirements will be finalized this month (April 2023).

In November last year, the New York Department of Financial Services (DFS) proposed amendments to their Part 500 Cybersecurity Regulations. These amendments tighten up the standards for cybersecurity including its risk assessment and require that both the CISO and the highest-ranking executive of the covered entity certify their compliance with the regulations. It is expected that the amendments will come into force in the coming quarter (May 2023).

In Europe, the EU’s Digital Operational Resilience Act (DORA) was published in January this year. It’s aimed at financial services firms, but crucially also covers third-party providers of ICT services that are critical for financial entities. There are some significant heavy-lifting requirements for firms to assess and manage their ICT risks (including cyber) and they have until Jan 2025 to put in place the capabilities to do it.

There are of course many other new regulations around the globe which I won’t go into now. Some common themes related to managing and quantifying cyber risk seem to be emerging. These are:

Accountability:

Regulators are making sure that accountability for the management of cybersecurity risk is placed firmly in the hands of a firm’s board, and that those boards have sufficient knowledge and skills to be able to understand and assess their cyber risk.  Article 5 of DORA (Digital Operational Resilience Act) makes it quite clear where accountability lies.

“The management body shall bear the ultimate responsibility for managing the financial entity’s ICT risk.”

– Article 5 of DORA (Digital Operational Resilience Act)

And of course, the SEC is seeking to make sure investors are also informed of listed companies’ board-level cybersecurity expertise.

Resources:

In all of these regulatory updates, there is a requirement to ensure that firms allocate sufficient resources toward dealing with cybersecurity. The DFS proposals are among the clearest:

“The CISO must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.”

– DFS

Risk Assessment:

Risk assessment of cyber and other ICT-related assessments is no longer Optional. Firms must do it and deliver sufficient insight to enable appropriate action to be taken.

Asset Visibility:

It would also seem that regulators have finally woken up to the fact that a lot of organizations have poor asset understanding and that by lacking visibility of all their hardware and software assets, organizations are potentially missing significant sources of risk. Both the DFS proposals and the EU regulation specify the need for firms to maintain a full inventory of their hardware and software assets. As well as for firms to “timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the … entity.”

Why does this matter?

So what does it all mean for those of us who are interested in Cyber Risk Quantification (CRQ) and its use to help us manage a firm’s cyber risk exposure? I think it’s a significant fillip for CRQ in general. Firms are going to have to take a disciplined and repeatable approach to assessing their cyber risk especially if they are to demonstrate that their risk assessment is providing actionable insight as to where to prioritize their spending.

I can also see boards needing to meet regulations and ensure sufficient resources for managing cyber risk. They may also demand a better understanding of the return on their investment.

During these times of tightened budgets, how can you determine what is considered sufficient?

Again, enter CRQ.  Not only can you demonstrate a return on the investment, but if you run your model often enough you can further ensure your expenditures are being utilized efficiently

But what about those who are yet to embark on the CRQ journey or embrace a formal approach to cyber risk assessment? Those who are considering where best to start?  

The good news is, I believe the regulators are laying out a path.  They are dropping some pretty heavy hints about where to start (once you have made sure it’s a board-level responsibility), and that is, start with your inventory!  Identify your full hardware and software inventory as this is the most likely source of most of your cyber risk.

In Conclusion

All these efforts aren’t necessarily easy tasks, especially if you have on-prem assets and have not been cloud-native since the beginning. But it is the starting place to manage your risk and you probably have all the information you need, buried in the digital exhaust from existing cyber and IT management tools. You just need the ability to de-duplicate and feed that information back into your inventory.

I’m sure it’s not an accident that the Balbix approach to CRQ starts here.