CyberSaint, in collaboration with the Advanced Cyber Security Center (ACSC), has conducted a comprehensive focus group study aimed at gaining insight into the dynamics of cyber risk reporting in large enterprises.
Cyber risk reporting has become an essential component of executing proper cyber risk management and there is a growing demand from investors and other stakeholders for organizations to report on their cyber risk posture. In the United States, the SEC is now requiring public companies to disclose their cyber security risks and incidents in their financial filings. The SEC has also issued guidelines for companies to disclose cyber security risks and incidents to investors and has emphasized the need for regular cyber risk reporting to board and executive leadership, in accordance with the new rules set forth.
Despite the obvious need, reporting cyber risk posture up to the board of directors or executives can present significant challenges:
- Correlating cyber risk to business risk: the technical intricacies inherent in cyber risk reporting can present difficulties for non-technical stakeholders, such as board members and executives, who may struggle to fully comprehend the implications of cyber security risks when the information isn’t contextualized to align with business outcomes.
- Standardizing and benchmarking: the method of reporting cyber risk varies widely among organizations, making it difficult to establish consistent metrics and benchmarks, hampering the industry’s long-desired goal of comparing cyber security performance across different business units or industry peers.
- Reliance on manual methods: cyber risk reporting’s resource-intensive nature, demanding time and expertise, often forces even large organizations to rely on spreadsheets and PowerPoint presentations to measure and report on cyber risks, resulting in point-in-time views based on outdated data, wasting significant time and resources, and leading to incomplete or inaccurate reporting.