Enhancing Cyber Risk Dialogue: Lessons from SEC’s Recent Action

As a reaction to a number of major corporate and accounting scandals (namely Enron and WorldCom), twenty years ago the Sarbanes-Oxley Act (SOX) was enacted. The law is almost certainly present in the day-to-day professional lives of every public company CFO and CEO.

Arguably, SOX has improved transparency and investor confidence in US capital markets. By imposing strict new controls over financial reporting processes, mandating criminal penalties for senior executives who certify false financial statements, enacting new regulations ensuring auditor independence, and strengthening Board oversight and governance, Congress accomplished what it set it out do to: end the rash of accounting scandals that plagued financial markets in the early 2000s.

Fast forward 20 years as we are faced with a steady stream of cybersecurity events. This week, the SEC charged SolarWinds and Chief Information Security Officer with fraud and internal control failures.

CISO criminal liability is something the cybersecurity community has been watching closely over the past several years. The fresh SEC charges against SolarWinds and its CISO come on the heels of a judge sentencing the Uber CISO to three years’ probation for his role in the coverup of a 2016 data breach at Uber. Threatening executives with jailtime is a powerful motivator. As the implementation of SOX materially strengthened financial controls and reporting, expect technology executives to insist on stronger cyber risk programs and mechanisms to provably demonstrate cyber posture:

• Increased use of quantitative frameworks to supplement opinion and professional judgement in cyber risk decision making
• CISO participation in regulatory disclosure process
• Larger cyber risk budget requests to close security control gaps
• Pay increases for qualified CISOs to compensate for personal risk
• Increased scrutiny on the contracted liability “teeth” for cybersecurity functions that are outsourced

The cybersecurity space is awash with tooling; it is difficult for even highly mature cyber risk programs to translate the effectiveness of their tooling in a way that is consumable by risk governance teams to know what cyber risk investments are appropriate and to react quickly in this highly dynamic space. Unlike financial controls which are relatively static over time, cyber controls faced with active adversaries must constantly evolve. Establishing an effective cyber risk governance structure and maintaining clear accountability within that structure is critical when making material statements about the current state of your security program.

Need a clear perspective on your cybersecurity?

GoSecure can guide you.

GoSecure Titan® Threat Modeler provides cyber risk executives a dynamic view of the effectiveness and appropriateness of their control tools and appropriateness of their controls in light of relevant threats.

Discover How

Explore GoSecure Penetration Testing Services, Advisory Services and GoSecure Titan® Threat Modeler for a comprehensive view of your cyber posture. GoSecure Titan® Threat Modeler, when combined with robust offensive testing from our penetration testing services and our advisory services will validate technical control efficacy to conduct GRC assessment programs that will evaluate the maturity of the security program, provides quantitatively rigorous and compelling evidence of effective control coverage against emerging threats, which supports strategic controls investments and cyber risk posture in general. Validate your security efficacy with GoSecure Titan® Threat Modeler combined with GoSecure Penetration Testing Services and Advisory Services.

Learn More