Broadcasts.com - "Cybersecurity Reporting Updates with Hilary Tuttle of Risk Management Magazine" (RIMScast)

News
RELATED

Cybersecurity Reporting Updates with Hilary Tuttle of Risk Management Magazine

Published: Aug. 8, 2023, 8:41 a.m.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

\\xa0

RIMS Risk Management Magazine Managing Editor Hilary Tuttle rejoins RIMScast to discuss new cyber incident reporting policies issued by the SEC. (Press release: sec.gov/news/press-release/2023-139.) Hilary talks about the key role that governance plays in the SEC\\u2019s announcements and how risk managers need to put this on their radar and even use it as an opportunity to demonstrate their value to the organization.

Hilary also discusses a cyber insurance market outlook for the latter half of 2023.

\\xa0

Key Takeaways:

[:01] About RIMScast and the RIMS App, an exclusive benefit for RIMS members.

[:32] About today\\u2019s episode, where we will discuss some major cyber reporting news with RIMS Risk Management Magazine Managing Editor, Hilary Tuttle.

[:58] All about exciting, upcoming RIMS events! Registration is open for the RIMS Canada Conference 2023, which will be held September 11th\\u201314th in Ottawa! Visit RIMSCanadaConference.ca for more information.

[1:19] On September 14th, the Spencer Educational Foundation returns to New York City for its Annual Funding Their Future Gala. The event will be held at the Cipriani on 42nd Street. A link is on this episode\\u2019s notes. You can also visit SpencerEd.org.

[1:36] The RIMS Western Regional Conference will be held October 4th\\u20136th in Vail, Colorado. Visit RIMSWesternRegional.com for more information and to register.

[1:48] Head to the RIMS.org/Advocacy page to find information about The RIMS Legislative Summit, which is returning to Washington, D.C. on October 25th and 26th.

[2:02] We are very excited about the RIMS ERM Conference 2023, which will be held November 2nd and 3rd in Denver, Colorado! The theme is Elevate and Evolve. Registration will open soon as will a call for nominations for the ERM Award of Distinction. Visit the events page on RIMS.org for more information.

[2:25] We are accepting educational session submissions for RISKWORLD 2024. See the link to the online submission form in this episode\\u2019s notes. RISKWORLD 2024 will be held May 5th\\u20138th in San Diego!

[2:44] Cyber is on our radar here at RIMScast! In July 2023, The United States Securities and Exchange Commission issued new rules for cyber incident reporting as well as guidance for cybersecurity governance. I asked my colleague Hilary Tuttle to join us here on RIMScast. Hilary is the RIMS Risk Management Magazine managing editor.

[3:16] Hillary is our resident authority on cyber. She\\u2019s been reporting on it for years. She\\u2019s here to tell us what\\u2019s going on and what you need to know if you are a business leader, risk manager, or chief technology officer when it comes to these new reporting guidelines.

[3:45] Justin welcomes Hilary Tuttle back to RIMScast. Justin says he thinks of Hilary Tuttle when he sees cyber news.

[4:10] The big news is the United States SEC adopted some controversial new cybersecurity reporting rules and we need to talk about them. There\\u2019s the hook, and then there\\u2019s the deeper understanding of what\\u2019s going on. First, we\\u2019ll talk about the hook.

[4:38] Hilary says organizations are going to have to report to the SEC any cyber incident within four days of assessing the material financial impact of an incident. A material financial impact is financial losses or a significant impact on a company\\u2019s financial performance or results. This may be a reputation risk with a potential dip in stock price.

[5:34] The SEC has not stipulated what qualifies as a significant impact on a company\\u2019s financial performance or results. The rule on incident reports starts in December 2023. The rule on incidents that must be reported in annual reports starts in fiscal years beginning in 2024.

[6:31] Organizations have to establish that an incident happened. Was there data exposure? Was there a loss? Was there a disruption or outage because of a malicious actor? The forensics on these questions is what takes time for certain cyber incidents. The SEC is not making stipulations about how long the forensics should take.

[7:24] The organization has to establish that the incident will have a material impact on financial performance. For large public companies, that can be a high bar to clear. Companies vary widely in the maturity of their current capacity to quantify the impact of the cyber incident.

[7:57] The new requirement does not stipulate timing relative to the onset of the cyber attack or exposure. The clock starts ticking once you realize that materiality is involved. That\\u2019s an easier timeframe to meet. This is an important bar and companies may not be prepared to conduct the set of math that needs to be done to meet it.

[8:32] The risk manager needs to align with the CFO and CTO to establish that equation. This also demonstrates what their benefit is in that equation.

[9:20] Justin plugs the ERM Conference 2023 in Denver, on November 2nd and 3rd. Registration opens Friday, August 18!

[9:41] Will these new reporting requirements lead to an increase in whistleblower claims,\\xa0 investigation, and litigation? New regulations lead to a formalized focus on what is unacceptable or illegal behavior, so there could be an increase in whistleblowing.

[10:32] Hillary has seen a budding class of shareholder-derivative suits that focus on cyber governance, the material impact of cyber incidents, and the board\'s fiduciary duties for cyber. This development reflects an evolution in our thinking about the tangible impacts of cyber risk, the severity of them, and where the responsibility is.

[11:10] The board and management have obligations and their dereliction of those duties has a concrete impact on a company\\u2019s future and shareholders. That is an actionable claim. We are seeing more formalization of those expectations and, in turn, more consequences for failures.

[11:47] The real headline in this decision is that the SEC is requiring formal cybersecurity risk management, strategy, and governance.

[12:09] Publicly-registered companies are going to need to incorporate formal disclosures into their annual reports, describing what, if any, processes they have in place for assessing, identifying, and managing material risks from cyber threats, the reasonably likely material impact of cyber threats, and previous cybersecurity incidents.

[12:35] The SEC is also going to be requiring companies to describe their board\\u2019s oversight of cyber risks and management\\u2019s role and expertise in assessing and managing material risks of cyber threats. That means that companies have to have a cyber risk management strategy and governance processes. Many do not.

[13:00] The requirement for a cyber risk management strategy and governance processes is the biggest burden on companies in terms of ensuring compliance with this rule. A lot of boards lack the expertise to effectively oversee a real cyber risk governance. The SEC is highlighting that cyber risk is business risk. It impacts viability.

[14:22] Cyber risk has been one of the top global risks listed by the WEF for years. Gary Gensler, chair of the SEC, noted that the requirement is aimed at making disclosures consistent, comparable, and decision-useful. Cybersecurity risk management plays a key part in establishing or maintaining a company\\u2019s value and survivability.

[15:38] RIMS plug time! Sponsor an episode of RIMScast! Contact us at pd@rims.org. For upcoming virtual workshops visit RIMS.org/virtualworkshops for the calendar. Managing Data for ERM is a three-module course that begins September 21st.

[16:21] Optimizing Risk Management with Artificial Intelligence will be led on September 28th by Pat Saporito. Chris Hansen will be leading Managing Worker Compensation, Employer\'s Liability, and Employment Practices in the US on November 7th and 8th. Be sure to register for that course!
[16:55] Information about these sessions and others is on the RIMS Virtual Workshops page. Check it out and register!

[17:03] The RIMS-CRMP-FED Exam Prep is on August 15th through 17th, 9:00 am\\u20134:00 pm EDT. For anyone attending RIMS Canada on September 10th and 11th, there will be a RIMS-CRMP Exam Prep In-Person Workshop in Ottawa, and it will be led by former RIMS President Chris Mandel.

[17:29] Visit RIMS.org/Certification for these and future workshops. A link is also in this episode\\u2019s show notes, as is a link to the full Virtual Workshop calendar.

[18:11] Hilary shares thoughts about the cyber insurance market for the rest of 2023. She sees signs of optimism. Some businesses have come a long way toward bridging their cybersecurity risks with the more common, low-hanging fruit of phishing education, implementing multi-factor authentication, and crafting tougher passwords.

[18:49] There\\u2019s been a big shift in victim behavior toward ransomware. Ransomware losses have driven the hard market in cyber insurance. In 2019, 76% of victims paid ransom. In 2022, 46% of victims paid ransom. They are becoming more savvy about phishing and secure backups. Their insurance may have a ransomware exclusion.

[20:38] The cyber insurance market is getting more profitable and rates are moderating after a number of quarters of brutal rate hikes. That\\u2019s great news for risk managers. Marsh\\u2019s latest Global Insurance Market Index found that globally, cyber insurance pricing moderated to a 1% increase in Q2, compared to 11% in Q1, and 28% in Q4 2022.

[21:13] It\\u2019s better news in the U.S. Rates decreased 4% in Q2, compared to 11% in Q1. So things are looking up. Rates will not return to pre-ransomware days. We know a lot more now about what cyber costs. Hopefully, you know more about your exposure and your modeling. In the light of litigation about cyber coverage, there\\u2019s more clarity about it.

[22:08] We\\u2019re getting a more realistic perspective of what cyber should be and can be for buyers going forward. When it comes to cybersecurity and vulnerability, there\\u2019s always something you can do better. There is always a way that a threat actor will get you. But there is a bit more room to feel cautiously optimistic about the cyber insurance market.

[23:22] Whether the market remains \\u201cflattish\\u201d will depend on the companies and their losses in the latter half of 2023.

[23:32] Justin thanks Hilary for coming and breaking it down for us. This is valuable for the audience to know. We may follow up on the SEC rule at the beginning of next year, once everything goes into effect for everyone. It will be interesting to see how enforcement shapes up regarding the governance requirements.

[24:15] Justin thanks Hilary for joining us again on RIMScast.

[24:20] Special thanks to RIMS Risk Management Magazine Managing Editor Hilary Tuttle for joining us here today. Links to RIMS coverage of the SEC\\u2019s new cyber reporting rules are on this episode\\u2019s show notes. Be sure to check out Risk Management Monitor and RMMagazine.com for news as well.

[24:41] The new issue of Risk Management Magazine is now live in print and online. Visit RMMagazine.com.

[24:49] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are on our show notes. RIMScast has a global audience of risk professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let\\u2019s collaborate! Contact pd@rims.org for more information.

[25:34] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. The RIMS app is available only for RIMS members! You can find it in the App Store.

[25:59] Risk Knowledge is the RIMS searchable content library that provides relevant information for today\\u2019s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[26:15] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com and in print, and check out the blog at RiskManagementMonitor.com. Justin Smulison is Business Content Manager. You can email Justin at Content@RIMS.org.

[26:37] Justin thanks you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

NEW FOR MEMBERS! RIMS Mobile App

Submit an Educational Session for RISKWORLD 2024

RIMS ERM Conference 2023 | Nov 2\\u20133 in Denver, CO!

RIMS Canada 2023 \\u2014 Sept. 11\\u201314 in Ottawa!

Spencer Educational Foundation \\u2014 Funding Their Future Gala \\u2014 Sept. 14, 2023

Contribute to Risk Management Magazine
RIMS Western Regional \\u2014 Oct 4\\u20136, Vail Colorado

RIMS-Certified Risk Management Professional (RIMS-CRMP)

Dan Kugler Risk Manager on Campus Grant

Upcoming Virtual Workshops:

Fundamentals of Risk Management | Aug. 8\\u20139

Optimizing Risk Management with AI | Sept. 28