The 25th of July 2002 is a date indelibly inscribed into the minds of CFOs at listed companies. It was the day that the Sarbanes-Oxley act was passed by Congress, ushering in stricter auditing and public disclosure rules. This 18 December, companies will have a new reporting mandate to contend with:
The new rules require that listed companies speed up their materiality assessments of cyber incidents so that they can rapidly disclose those with potential material impacts. Annually, they will also have to share information about their approaches to cybersecurity risk management, strategy and governance. The compliance deadline is December 18.
The days when
Best practices require that companies seek out and get metrics-based evidence that they can use to withstand and quickly restore operations after all kinds of potentially
We stress test our banks for their ability to withstand severe economic shocks. Greater scrutiny on a financial institution's cybersecurity reporting should prompt us to similarly stress test our critical institutions for their ability to withstand severe cyber events.
To be clear, this does not mean more tabletop exercises and penetration testing of your production environments. It does not mean practice in small, generic simulators. What it does mean is regular, severe event exercises in safe replicas of a bank's actual technology, so that you can have evidence about your preparedness and can strengthen your defenses where necessary.
This is how leading banks and other critical infrastructure companies have stress tested themselves in cyber for years — using commercially available, metrics-based capabilities that the U.S. military uses, in high-fidelity replicas of their own, highly complex IT systems.
A good analogy for this best practice comes from the airline industry where flight crews are regularly required to go into high-fidelity replicas of the actual Boeing and Airbus planes they fly, practicing their responses to severe engine outages, hydraulic and other systems failures.
The new rules also expand the use of "proven protections," such as multifactor authentication, according to Adrienne Harris, superintendent of the New York State Department of Financial Services.
They are allowed to fail and often do. That is the point. Strenuous practice is the only way to prove that teams can succeed when the day comes that decisions must be quick, smart and sure; and rehearsing alongside security teams for significant cyber events will allow financial and disclosure teams to make those critical materiality determinations "without unreasonable delay" as the SEC requires.
The U.S. Air Force discovered years ago that pilots who had learned enough to survive their first ten missions had high success rates thereafter. From that, training exercises like Red Flag were born and became mandatory. When U.S. Cyber Command stood up in 2010, they quickly followed suit with Cyber Flag, pitting their defensive teams regularly against aggressive technological attacks. Within another five years, forward-thinking commercial companies followed suit.
To prepare for increased cybersecurity transparency in 2024, CEOs and audit committees need to get effectiveness metrics on the severe threats their teams have practiced against each quarter. CFOs must continue to drive out excess costs that have accumulated over the years, and also require evidence that those spending reductions maintain top line risk control as well. Disclosure teams need to make sure they have incident response playbooks in place early for potentially material events, and practice with their teams, ready to disclose quickly and accurately to the SEC if disaster strikes. Security teams need to measure their ability to detect all severe event indicators that can be present, not just a few. Operations teams need to tune out the false positives that are costing you money. IT teams need to practice fast, minimal impact restoration of systems.
Cyber consultants need to get their clients into high-fidelity replicas of their networks and help them to get their effectiveness metrics and regular exercise protocols in place, even if it means getting them time in the military grade ones you maintain. Managed service providers need to tell their midsize bank clients when they last practiced severe attack response and restoration on replicas of the systems they operate.
As with Sarbanes-Oxley, the SEC rules will make best practices the norm. Banks know that they should be transparent about timely disclosure about attacks that become material, and they know that they should be regularly practicing to counter those kinds of cyberattacks before they start.
In 2015, the Atlantic Council and the Zurich Insurance Group estimated that excellent digital preparedness in cyber can add USD 120 trillion to global GDP over a thirty-year period. That is worth achieving.
So, to the C-Suite: Be demanding, and focus on the effectiveness of your cyber programs, particularly against the severe types of events that can be material to you and your shareholders if not handled correctly. You will sleep better at night, and it just may put you in some very good company when it comes time for those new Reg S-K disclosures the SEC is asking for in your 10-Ks after December 18.
