(844) 627-8267
(844) 627-8267

More transparency required in cybersecurity disclosures | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware




Complete, accurate disclosures


Kovalsky said that because of the changing nature of cybersecurity threats and constant changes in technology, every cybersecurity control is in some state of evolution.


Companies are accustomed to disclosing information internally about the status of cybersecurity practices and controls. CFOs have been meeting with CIOs and CISOs for years to discuss the effectiveness of controls, threat management, potential risks and risks that might not be mitigated yet in a satisfactory fashion.


“But that’s very different from saying you’re ready to disclose it to the public,” Frazier said. “Just like in the MD&A, there’s an onus on management to make sure what is disclosed is complete and accurate.”


However, Kovalsky said one element of the business environment can stand in the way of complete, accurate disclosure. CISOs sometimes go into board meetings under pressure from other executives to make an organization’s cybersecurity risk management processes and protections sound more mature than they really are.


If the board doesn’t have a full appreciation of the risks due to these pressures, it’s more likely that the disclosures to the SEC will be incorrect.


“Boards need to be prepared to ask more granular, pointed questions. It should be a reasonable expectation that the CISO not only describes the risks in qualitative terms but quantifies them to the board or committee charged with cyber risk oversight.” Kovalsky said.


General questions about cybersecurity can include:

  • What framework is management using to design its risk management program and what framework does management use to communicate information about its cybersecurity?
  • Has an assessment of the organization’s cybersecurity risk management program been conducted by an independent third party?
  • What controls and processes are in place to prevent, detect, respond to and recover from cyberattacks?
  • What are the potential financial impacts of the inherent and residual risks? And are those within our risk appetite?
  • What are the returns on our cybersecurity investments?
  • Does the company conduct regular “dry run” scenario planning exercises to practice how it would respond in the case of a breach? (And do those exercises reveal any shortcomings?)
  • What model does the organization use to determine materiality with respect to breaches and disclosures?

Boards should be asking what processes are in place to capture the answers to all those questions and the data that’s necessary for internal and external reporting.


One of the first steps in deciding whether a cybersecurity incident is material may be developing a framework for the determination. Among the Grant Thornton survey respondents who did not answer “unsure”, just 9% have identified the drivers of materiality and tested the framework during a table-top exercise. An additional 24% have identified the drivers of materiality but have not tested them, and 40% are in the process of developing a framework. More than one-fourth (27%) haven’t yet started developing a framework.


Click Here For The Original Source.

National Cyber Security