Defining What Risk is Worth

In the article about Uber we warned that there was an evolution underway on regulatory compliance and cyber risk. Companies could face enforcement from the US Securities and Exchange Commission, better known as the SEC, and it turns out that being unprepared has the potential to cost companies.

Companies and organizations are under pressure to effectively manage cyber risk and bolster data protection to comply with their fiduciary responsibilities. As digital dangers escalate, the SEC and other regulatory bodies like DORA in the EU are instituting new rules that companies must adhere to so that they can protect global markets.

Almost all businesses understand the value of cybersecurity, but many look at it as an active state of defense. Too many companies do not understand that the best cybersecurity strategy is a robust resiliency strategy and an aim for business continuity. Attacks happen daily: in fact, in June 2021 there were 30 attacks per second (according to SonicWall). We know it will eventually happen, but the question is: what happens next?

Organizations who have limited themselves to active detection may not be able to stay afloat after a data breach has occurred. They will be unable to respond adequately in the aftermath of a disaster of any kind, regardless of whether it’s a natural disaster or ransomware. As a company, you must ask yourself how soon you can continue ‘business as usual’ after an incident has occurred.

A company’s worth and value in the marketplace is only what the people will pay for it. Shareholders, aka people who invest in the stocks, are buying into what they believe is a fair price and make an investment that a company’s worth is going to go up. What do you do and what rights do you have when the company you invested in lied about how protected you are?

If a company is not upfront about how protected they are and a hacker steals the information, the company is now subject to being sued and could very well go out of business trying to repay the customers they said they were protecting. Now the shareholders have lost their money.

Shareholders try to maximize their wealth and derive worth from valuating a company’s operating income, operating costs, risk and capital, and expectations. Risk and capital are derived from operational risk, regulatory risk, and other threats that upset the stability of a company. Lie about the amount of risk you have and now you have destabilized the valuation and a shareholder may not want to invest.

One company is not going to affect the market. While there are repercussions available when a shareholder feels they were misled, the SEC is aware that cyber threats are not a once-and-done event. Cyber threats are now a matter of ‘when, not if’ and the SEC is starting to implement regulatory measures to pre-emptively mitigate the risks that threaten to destabilize the marketplace and economy.

The goal of the SEC is to protect the stock market and the overall economy. Data breaches are a big threat to maintaining economic stability in the marketplace and could trigger a global downturn in the economy if not addressed. Imagine multiple company stocks tumbling after each security breach week after week; the result would be disastrous.

Early in 2022 the SEC announced there would be cybersecurity requirements to make protection and disclosure more transparent and consistent. Within the requirements are undertones for containment and remediation of a breach. While the exact amendments have yet to be detailed out, the rules are expected to require written cybersecurity policies and procedures that “improve investor confidence in the resiliency…against cyber threats and attacks.” Companies would also be required to publicly disclose cybersecurity risks and significant incidents within the previous two fiscal years.

This mandate will essentially require companies to disclose their data governance abilities, security protocols, and detail the board’s role in managing digital risk. It will also require an outline of the relevant qualifications of management teams and their applied function to the organization’s cybersecurity and data recovery protocols and policies. It may also soon become the norm to require a company to utilize its bandwidth and capabilities to identify, evaluate, and mitigate cybersecurity risks and their ability to return to normal operation with penalties incurred for the untimely ability to resume business as usual.

It is impossible to be invincible against cyber-attacks which means that organizations must be able to bounce back with minimal disruption to operations, finances, and reputation. In the past, boards have often fought to return profits to the pockets of investors which meant that investing in business continuity took a back seat. Today, maximizing shareholder wealth means funds are used to bolster cyber resiliency which helps to maximize profit and raise the stock price.

So, what should companies be doing?

Cyber resiliency, data protection and recovery are complicated. The reality is that you don’t need to understand the technical details to understand the risk. Companies hire technical IT and cloud security professionals to understand, implement, and deploy the right solutions. What companies should acknowledge is that a higher risk requires more budget and financial empowerment to be allocated to their teams so that they can implement and execute the needed data protections and recovery solutions.

When you purchase a vehicle, you understand that it isn’t a once-and-done purchase. There are certain requirements and certifications that drivers must maintain. For example, you are required to carry a valid insurance policy and maintain and log a valid report for the vehicle. There is also an understanding that eventually a vehicle becomes worn out and needs to be replaced as parts become obsolete or the cost of repair outweighs the cost of a new purchase.

The same can be said for data protection and recovery. Being resilient isn’t just ‘installing’ a recovery device, it is being prepared against an unknown threat that you cannot see or hear. A company needs to maintain their data protection and recovery solutions in the same way that they would a vehicle: training, maintenance, inspections and repair and replacement discussions along with the expectation that this is all part of the cost of doing business.

Cyber resilient organizations must also have open and trusting conversations about the reality of their state of their cybersecurity and data protection. Board members and companies must sit down and make the effort to understand what is happening and tech professionals need to facilitate this relationship. How well do corporate executives and board members understand the basic approach and effectiveness of their infrastructure and framework? How well do these teams and individuals convey the ineffectiveness in terms of financial risk and exposure?

Where can you start? Companies need to make sure they have governance and compliance standards in place and prepare by increasing visibility into their data and assets. They should take infrastructure vulnerabilities seriously, and consider data protection and recovery a lifestyle change, not a single purchase.

It would be beneficial for businesses to realize the operational cost of cyber resiliency and compare it against the opportunity cost of not having a data protection recovery plan in place.