GUEST ESSAY: New SEC rules aim to help C-levels, board members quantify cyber risks

The U.S. Securities and Exchange Commission (SEC) is taking steps to crack down on insufficient cyber risk reporting.

Related: Making third-party risk audits actionable

Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”

Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.

The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.

This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.

Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to…