As we ramp down the activities of 2015, the cybersecurity landscape has certainly shaped strategy for the new year and beyond. Effective strategic planning is important and can lower risk and operational costs for organizations. Managers will usually plan for the changing threat landscape, looking at weaknesses and vulnerabilities internally and make a plan for how to shore up defenses. To plan effectively, you'll want to consider information on the coming changes in the security landscape as well.
Developing an effective roadmap should take into account indirect cybersecurity changes too. Several significant announcements happened in the last quarter of 2015 that could potentially impact how companies approach cybersecurity.
The TL;DR version is:
- 1) The SEC is changing its position on cybersecurity risk, shifting from a data focus to a market focus
- 2) Insurance companies are looking at cyber risk much more closely and will price it according how companies are prepared to deal with it
- 3) Company credit ratings will start to be influenced by their approach to cyber risk
In April 2015, the SEC division of Investment Management issued cyber security guidance. This guidance “highlights the need for firms to review their cybersecurity measures.” In September 2015, the SEC Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity risk alert. Combined with an OCIE Sweep Summary, these three documents may have significant precedential power, akin to law. What is clear is that the SEC is regarding cybersecurity as not just a risk to data, but to the markets themselves.
Which takes us to important point number two, Lloyd's of London is requiring syndicates (essentially underwriters) to properly consider cybersecurity risks as an essential component to pricing cybersecurity insurance. Lloyd's is demanding the underwriters have risk-appetite statements signed off by their boards by December of 2015, and estimate their exposures by 2016. This will have an impact on what companies pay for cyber insurance.
Lloyd's also lists Market Crashes as the highest risk in its City Risk Index 2015 – 2025.
The third significant announcement came from Moody's Investor Services. They state that rising risks in cyber security could potentially affect company credit ratings. Moody's said cyber defense, detection, prevention and response will be a higher priority in credit assessments. If you're a Moody's subscriber, you can get the report titled “Cross Sector – Global: Cyber Risk of Growing Importance to Credit Analysis.”
Although these announcements mostly pertain to publicly traded corporations, private companies could soon be affected as well. After all, many private companies emulate the rules around public companies to hedge their own risk.
The key takeaway for all of us? With the SEC and Lloyd's both identifying market risk as a driving factor for the future, cybersecurity in 2016 can take a much more important role in business planning and strategy. Use this opportunity to educate your executives and boards today.