Welcome
The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives your organization approximately five months to confirm your compliance plans before the new disclosure requirements take effect in mid-December. The revisions from the proposed rule have streamlined the disclosure requirements in many ways, in response to more than 150 comment letters filed from issuers, investors, and other parties.
Still, disclosure can seem a daunting prospect if your company’s cyber risk management program won’t withstand investor scrutiny. Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires.
With this new rule, the SEC puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. We see the rule as a call to action, challenging enterprises to be ready to expand their disclosures regarding their cyber risk management, strategy, and governance processes.
Joe Nocera
Cyber and Tech Risk Solution Leader, PwC US
Best Practices for the Cyber-Risk Management: Plan, Secure and Monitor the Life Cycle
- Michael Kranawetter| Sema Yuce
- 28 June 2023
Cyber-risk management is crucial for organizations due to operating in interconnected digital environments. This research helps security and risk management leaders understand the essential components of a cyber-risk management program.
Overview
Key Findings
- Successful cyber-risk management programs embody the 5-D rule: dynamic, distributed, defensible, data-driven and decision enabling.
- Cyber-risk data cannot be analyzed to provide actionable outcomes without context.
- Limited resources and cost of operations require categorizing the criticality and sensitivity of assets to enable adaptive cyber-risk management.
- Security and risk management (SRM) leaders are increasingly being asked to express cyber risks in monetary terms to enable comparisons with other risks across their organization.
- Documenting cyber risks in a risk register and ensuring continual communication with stakeholders are critical to provide an overview of cyber risks stated from a business perspective, which enables data-driven decision making. [...]
The latest insights from PwC
What makes a cyber incident material?
Companies should consider establishing processes, procedures and controls to confirm they are able to promptly assess the impact of a cyber incident, from collection of information to escalation to contemporaneous documentation, and, if necessary, disclosure.
C-suite questions to ponder
At most companies, responsibility for compliance will rest among those in several primary roles, each with their own questions to ponder. Coordination among these executives in answering the questions is going to be critical.
Equip your Boards with the Rules
Strengthen your board’s ability to govern and oversee cyber risk with a single platform featuring PwC insights, peer data and reporting resources designed to help directors meet evolving expectations.
Missed our recent webcast?
PwC discussed how CISOs, CFOs and others in management and at the Board level can assess current SEC cyber disclosure capabilities, develop new processes and gain confidence in their ability to meet these requirements. Topics covered included how the C-suite can team to tackle new disclosure requirements, how existing cyber assessment measures may need to change going forward, how materiality in cyber incidents may be determined, and how executives can be best equipped to address Board concerns about SEC cyber rules.
