Cybersecurity Reporting Updates with Hilary Tuttle of Risk Management Magazine

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   RIMS Risk Management Magazine Managing Editor Hilary Tuttle rejoins RIMScast to discuss new cyber incident reporting policies issued by the SEC. (Press release: sec.gov/news/press-release/2023-139.) Hilary talks about the key role that governance plays in the SEC’s announcements and how risk managers need to put this on their radar and even use it as an opportunity to demonstrate their value to the organization. Hilary also discusses a cyber insurance market outlook for the latter half of 2023.   Key Takeaways: [:01] About RIMScast and the RIMS App, an exclusive benefit for RIMS members. [:32] About today’s episode, where we will discuss some major cyber reporting news with RIMS Risk Management Magazine Managing Editor, Hilary Tuttle. [:58] All about exciting, upcoming RIMS events! Registration is open for the RIMS Canada Conference 2023, which will be held September 11th–14th in Ottawa! Visit RIMSCanadaConference.ca for more information. [1:19] On September 14th, the Spencer Educational Foundation returns to New York City for its Annual Funding Their Future Gala. The event will be held at the Cipriani on 42nd Street. A link is on this episode’s notes. You can also visit SpencerEd.org. [1:36] The RIMS Western Regional Conference will be held October 4th–6th in Vail, Colorado. Visit RIMSWesternRegional.com for more information and to register. [1:48] Head to the RIMS.org/Advocacy page to find information about The RIMS Legislative Summit, which is returning to Washington, D.C. on October 25th and 26th. [2:02] We are very excited about the RIMS ERM Conference 2023, which will be held November 2nd and 3rd in Denver, Colorado! The theme is Elevate and Evolve. Registration will open soon as will a call for nominations for the ERM Award of Distinction. Visit the events page on RIMS.org for more information. [2:25] We are accepting educational session submissions for RISKWORLD 2024. See the link to the online submission form in this episode’s notes. RISKWORLD 2024 will be held May 5th–8th in San Diego! [2:44] Cyber is on our radar here at RIMScast! In July 2023, The United States Securities and Exchange Commission issued new rules for cyber incident reporting as well as guidance for cybersecurity governance. I asked my colleague Hilary Tuttle to join us here on RIMScast. Hilary is the RIMS Risk Management Magazine managing editor. [3:16] Hillary is our resident authority on cyber. She’s been reporting on it for years. She’s here to tell us what’s going on and what you need to know if you are a business leader, risk manager, or chief technology officer when it comes to these new reporting guidelines. [3:45] Justin welcomes Hilary Tuttle back to RIMScast. Justin says he thinks of Hilary Tuttle when he sees cyber news. [4:10] The big news is the United States SEC adopted some controversial new cybersecurity reporting rules and we need to talk about them. There’s the hook, and then there’s the deeper understanding of what’s going on. First, we’ll talk about the hook. [4:38] Hilary says organizations are going to have to report to the SEC any cyber incident within four days of assessing the material financial impact of an incident. A material financial impact is financial losses or a significant impact on a company’s financial performance or results. This may be a reputation risk with a potential dip in stock price. [5:34] The SEC has not stipulated what qualifies as a significant impact on a company’s financial performance or results. The rule on incident reports starts in December 2023. The rule on incidents that must be reported in annual reports starts in fiscal years beginning in 2024. [6:31] Organizations have to establish that an incident happened. Was there data exposure? Was there a loss? Was there a disruption or outage because of a malicious actor? The forensics on these questions is what takes time for certain cyber incidents. The SEC is not making stipulations about how long the forensics should take. [7:24] The organization has to establish that the incident will have a material impact on financial performance. For large public companies, that can be a high bar to clear. Companies vary widely in the maturity of their current capacity to quantify the impact of the cyber incident. [7:57] The new requirement does not stipulate timing relative to the onset of the cyber attack or exposure. The clock starts ticking once you realize that materiality is involved. That’s an easier timeframe to meet. This is an important bar and companies may not be prepared to conduct the set of math that needs to be done to meet it. [8:32] The risk manager needs to align with the CFO and CTO to establish that equation. This also demonstrates what their benefit is in that equation. [9:20] Justin plugs the ERM Conference 2023 in Denver, on November 2nd and 3rd. Registration opens Friday, August 18! [9:41] Will these new reporting requirements lead to an increase in whistleblower claims,  investigation, and litigation? New regulations lead to a formalized focus on what is unacceptable or illegal behavior, so there could be an increase in whistleblowing. [10:32] Hillary has seen a budding class of shareholder-derivative suits that focus on cyber governance, the material impact of cyber incidents, and the board's fiduciary duties for cyber. This development reflects an evolution in our thinking about the tangible impacts of cyber risk, the severity of them, and where the responsibility is. [11:10] The board and management have obligations and their dereliction of those duties has a concrete impact on a company’s future and shareholders. That is an actionable claim. We are seeing more formalization of those expectations and, in turn, more consequences for failures. [11:47] The real headline in this decision is that the SEC is requiring formal cybersecurity risk management, strategy, and governance. [12:09] Publicly-registered companies are going to need to incorporate formal disclosures into their annual reports, describing what, if any, processes they have in place for assessing, identifying, and managing material risks from cyber threats, the reasonably likely material impact of cyber threats, and previous cybersecurity incidents. [12:35] The SEC is also going to be requiring companies to describe their board’s oversight of cyber risks and management’s role and expertise in assessing and managing material risks of cyber threats. That means that companies have to have a cyber risk management strategy and governance processes. Many do not. [13:00] The requirement for a cyber risk management strategy and governance processes is the biggest burden on companies in terms of ensuring compliance with this rule. A lot of boards lack the expertise to effectively oversee a real cyber risk governance. The SEC is highlighting that cyber risk is business risk. It impacts viability. [14:22] Cyber risk has been one of the top global risks listed by the WEF for years. Gary Gensler, chair of the SEC, noted that the requirement is aimed at making disclosures consistent, comparable, and decision-useful. Cybersecurity risk management plays a key part in establishing or maintaining a company’s value and survivability. [15:38] RIMS plug time! Sponsor an episode of RIMScast! Contact us at pd@rims.org. For upcoming virtual workshops visit RIMS.org/virtualworkshops for the calendar. Managing Data for ERM is a three-module course that begins September 21st. [16:21] Optimizing Risk Management with Artificial Intelligence will be led on September 28th by Pat Saporito. Chris Hansen will be leading Managing Worker Compensation, Employer's Liability, and Employment Practices in the US on November 7th and 8th. Be sure to register for that course! [16:55] Information about these sessions and others is on the RIMS Virtual Workshops page. Check it out and register! [17:03] The RIMS-CRMP-FED Exam Prep is on August 15th through 17th, 9:00 am–4:00 pm EDT. For anyone attending RIMS Canada on September 10th and 11th, there will be a RIMS-CRMP Exam Prep In-Person Workshop in Ottawa, and it will be led by former RIMS President Chris Mandel. [17:29] Visit RIMS.org/Certification for these and future workshops. A link is also in this episode’s show notes, as is a link to the full Virtual Workshop calendar. [18:11] Hilary shares thoughts about the cyber insurance market for the rest of 2023. She sees signs of optimism. Some businesses have come a long way toward bridging their cybersecurity risks with the more common, low-hanging fruit of phishing education, implementing multi-factor authentication, and crafting tougher passwords. [18:49] There’s been a big shift in victim behavior toward ransomware. Ransomware losses have driven the hard market in cyber insurance. In 2019, 76% of victims paid ransom. In 2022, 46% of victims paid ransom. They are becoming more savvy about phishing and secure backups. Their insurance may have a ransomware exclusion. [20:38] The cyber insurance market is getting more profitable and rates are moderating after a number of quarters of brutal rate hikes. That’s great news for risk managers. Marsh’s latest Global Insurance Market Index found that globally, cyber insurance pricing moderated to a 1% increase in Q2, compared to 11% in Q1, and 28% in Q4 2022. [21:13] It’s better news in the U.S. Rates decreased 4% in Q2, compared to 11% in Q1. So things are looking up. Rates will not return to pre-ransomware days. We know a lot more now about what cyber costs. Hopefully, you know more about your exposure and your modeling. In the light of litigation about cyber coverage, there’s more clarity about it. [22:08] We’re getting a more realistic perspective of what cyber should be and can be for buyers going forward. When it comes to cybersecurity and vulnerability, there’s always something you can do better. There is always a way that a threat actor will get you. But there is a bit more room to feel cautiously optimistic about the cyber insurance market. [23:22] Whether the market remains “flattish” will depend on the companies and their losses in the latter half of 2023. [23:32] Justin thanks Hilary for coming and breaking it down for us. This is valuable for the audience to know. We may follow up on the SEC rule at the beginning of next year, once everything goes into effect for everyone. It will be interesting to see how enforcement shapes up regarding the governance requirements. [24:15] Justin thanks Hilary for joining us again on RIMScast. [24:20] Special thanks to RIMS Risk Management Magazine Managing Editor Hilary Tuttle for joining us here today. Links to RIMS coverage of the SEC’s new cyber reporting rules are on this episode’s show notes. Be sure to check out Risk Management Monitor and RMMagazine.com for news as well. [24:41] The new issue of Risk Management Magazine is now live in print and online. Visit RMMagazine.com. [24:49] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are on our show notes. RIMScast has a global audience of risk professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate! Contact pd@rims.org for more information. [25:34] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. The RIMS app is available only for RIMS members! You can find it in the App Store. [25:59] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [26:15] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com and in print, and check out the blog at RiskManagementMonitor.com. Justin Smulison is Business Content Manager. You can email Justin at Content@RIMS.org. [26:37] Justin thanks you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe! Mentioned in this Episode: NEW FOR MEMBERS! RIMS Mobile App Submit an Educational Session for RISKWORLD 2024 RIMS ERM Conference 2023 | Nov 2–3 in Denver, CO! RIMS Canada 2023 — Sept. 11–14 in Ottawa! Spencer Educational Foundation — Funding Their Future Gala — Sept. 14, 2023 Contribute to Risk Management MagazineRIMS Western Regional — Oct 4–6, Vail Colorado RIMS-Certified Risk Management Professional (RIMS-CRMP) Dan Kugler Risk Manager on Campus Grant Upcoming Virtual Workshops: Fundamentals of Risk Management | Aug. 8–9 Optimizing Risk Management with AI | Sept. 28 Managing Worker Compensation, Employer's Liability and Employment Practices in the US | Nov 7 See the full calendar of RIMS Virtual Workshops RIMS-CRMP-FED Exam Prep Virtual Workshop August 15–17, 2023 9:00 am–4:00 pm EDT RIMS-CRMP Exam Prep In-Person WorkshopIn Ottawa, ON, Canada September 10–11, 2023 9:00 am–4:00 pm EDT All RIMS-CRMP Prep Workshops Related RIMScast Episodes: “Near-Misses Still Count”: Risk Management Magazine’s Morgan O'Rourke and Hilary Tuttle “Mid-Year 2023 Update with Morgan O’Rourke and Hilary Tuttle” “Cybersecurity and Insurance Outlook 2023 with Josephine Wolff” “Genuine Generative AI Talk with Tom Wilde of Indico Data” Sponsored RIMScast Episodes: “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response (New!) “Cyberrisk Outlook 2023” | Sponsored by Alliant (New!) “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster “Technology, Media and Telecom Solutions in 2023” | Sponsored by Allianz “Analytics in Action” | Sponsored by Alliant “Captive Market Outlook and Industry Insights” | Sponsored by AXA XL “Using M&A Insurance: The How and Why” | Sponsored by Prudent Insurance Brokers Ltd. “Zurich’s Construction Sustainability Outlook for 2023” “Aon’s 2022 Atlantic Hurricane Season Overview” “ESG Through the Risk Lens” | Sponsored by Riskonnect “A Look at the Cyber Insurance Market” | Sponsored by AXA XL “How to Reduce Lithium-Ion Battery Fire Risks” | Sponsored by TÜV SÜD “Managing Global Geopolitical Risk in 2022 and Beyond” | Sponsored by AXA XL RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars Risk Management Magazine Risk Management Monitor RIMS Risk Leaders Series RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interview featuring Roland Teo! Spencer Educational Foundation RIMS DEI Council RIMS Path to the Boardroom RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play RIMS Buyers Guide Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org and listen on Apple Podcasts. Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   Follow up with Our Guest: Chris Hansen on LinkedIn Snug Harbor Risk Consulting RIMS New Jersey Chapter   Tweetables (For Social Media Use):   “Organizations are going to have to report any cyber incident within four days … of assessing material financial impact of an incident. … [A material financial impact is] financial losses or a significant impact to a company’s financial performance or results.” — Hilary Tuttle   “You have to establish that an incident happened. Was there data exposure? Was there a loss? Was there disruption or outage because of a malicious actor? The forensics on that part is often what takes time for certain types of cyber incidents.” — Hilary Tuttle   “As Gary Gensler, the chair of the SEC, noted, the requirement here is aimed at making sure that these disclosures are consistent, comparable, and decision-useful and I think that’s a really interesting point.” — Hilary Tuttle   “It’s kind of a nice affirmation that, again, cyber risk is business risk. And cybersecurity risk management plays a really key part in establishing or maintaining a company’s value.” — Hilary Tuttle