In 2011 the U.S. Securities and Exchange Commission (SEC) issued guidance on the disclosure of Cyber risks and Cyber incidents where they may significantly affect the risk of investing in the company reporting to the SEC.
This was controversial at the time and has led to an interesting revelation recently; many of the biggest US companies reporting Cyber incidents to the SEC have stated they suffered no major financial losses as a result. The context should be remembered in that on one hand these companies would like to reduce their reporting requirements and would love not to have to show their dirty laundry to the world but on the other hand these financial reports are personally signed off by the C-level executives in these companies and errors, inaccuracies, omissions and lies can all lead to fines and jail time for the individuals involved.
I expect the SEC may start following up these reports with ‘materiality assessments’ that will define the level of risk or impact they expect to see reported but it suggests a disconnect between the Cyber expert view of the scale of the problem and the C-level business leaders view of the problem.
I’ve spoken about the expert problem in suppressing uncertainty when assessing risk before and there are plenty of very good analyses of why this is. Fundamentally experts tend towards providing overly-confident simplified answers to non-experts.
It is my belief that the Cyber experts, and I count myself among them, are overestimating both the likelihood and the impact of Cyber risks and are overconfident in those estimates. The temptation to record risks considering the worst case impact rather than the most likely impact is that the worst case supports investment in our roles and activities. We may not be doing this deliberately but as experts we are not neutral when discussing our area of expertise.
The challenge we face is to bring a level of rigour around calibration and uncertainty to our advice without turning off the business users by sounding unsure or presenting advice that is too complicated. There are some good sources of advice on how to improve available we just need to think about how we apply them to our daily working lives.
Do you agree with the assertion that the financial cost of Cyber attacks on business is significant and worthy of board level attention? Are you confident in that assertion?