In recent years, companies have experienced a continued escalation in the risk and impact of cyber events. As a result, the Securities and Exchange Commission (SEC) has recognized in its recent rulemaking the importance of company transparency with investors and regulators around cybersecurity risk management and the impact of cyber events.

Primarily due to the short timeframe of the requirements to disclose “material cybersecurity incidents”, the SEC Cybersecurity Disclosure Rules have received a lot of attention. However, there is a lot more to the rules and the implications are considerably broader.

What does the SEC want?

The Rules require public companies to:

• Annually disclose information regarding cybersecurity risk management, strategy and governance
• Disclose material cybersecurity incidents generally four business days after determining that the incident is material

The requirements have generated a significant amount of analysis and interpretation. Helpfully, Erik Gerding, the SEC’s Director of the Division of Corporation Finance explained the “rationale and mechanics of these rules” here.

The SEC’s rulemaking is clear on what needs to be done but does not provide a roadmap for building the strategic, practical and decision-making processes that would support the required disclosures.

There have been many discussions around the difficulties presented by the disclosures required when a company has a cyber event, including the fact that these disclosures would be made while the corporation is in the early stages of managing a crisis, potentially pouring fuel onto an already dangerous fire.

But this fear underlines the fundamental problem that the SEC is trying to address:

• Cyber Attack or Data Breach is the number one risk facing organizations globally and is predicted to remain in this position through 2026
• Cyber events can have an impact on all areas of an organization and regulatory bodies are tightening cyber-security requirements; consequently, cyber resilience is a key topic of discussion in boardrooms worldwide
• The fallout from a reputation crisis can be far greater than any short-term earnings losses, with some companies losing significant shareholder value

What should public companies do, and how can Aon help?

1. Define a process to implement cybersecurity risk management, strategy and governance

Board Assessment

• How is the Board overseeing, managing, and enabling cyber risk management across the enterprise?
• Conduct risk management, strategy, and governance reviews in collaboration with legal
• Prepare and submit disclosures that communicate how cyber risk is being managed

Define Risk Appetite

• Focus on priorities
• Allocate resources
• Optimize outcomes in the context of risk reduction

Enterprise Risk Assessment

• Use pre-defined risk appetite as the framework
• Assess how risk is being managed throughout all phases of the risk lifecycle:
  • Identify and assess risks
  • Implement proper controls
  • Establish capabilities to ensure that the organization can recover from an adverse incident
  • Address weaknesses in current control implementations
  • Monitor the threat landscape for emerging threats

2. Disclose material cybersecurity incidents

Risk Quantification

• Conduct scenario-based impact quantification studies
• Quantify results in the context of corporate risk tolerance
• Understand the near- and long-term financial impacts of adverse cyber events
• Create materiality decision-making framework around results

Response Review

• Create internal processes and capabilities for management decisions-making around materiality and disclosure
• Document processes in plans and playbooks
• Link and coordinate risk management, business continuity planning, disaster management and disaster recovery plans to board, legal and compliance oversight

Materiality Workshops and Exercises

• Stress test the components, data inputs and responsibilities through simulation
• Engage outside resources (particularly legal and public relations) in simulations to ensure consistency of protocols and messaging
• Engage senior leadership to understand and define roles and responsibilities in making materiality decisions
• Refine and repeat the exercise as the corporate structure, risk profile and threat environment evolve

Conclusion

The SEC rules highlight the serious cyber threat environment and the pressing need for companies to put oversight and structure around their response to one of the greatest risks today.

Aon has global resources and capabilities to help companies put a structure in place to make better decisions and implement these across a corporate framework. Importantly, Aon can also structure risk financing solutions to mitigate the impacts of cyber events directly via Cyber Insurance, and for executives, the board and decision-makers by way of Directors & Officers Insurance.

About Aon Aon plc (NYSE: AON) exists to shape decisions for the better—to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.

©2024 Aon plc. All rights reserved.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.