Risk Escalation and Disclosure: Transparency and accountability
Risk escalation and disclosure involve the processes for escalating cybersecurity risk, not just incidents, but risks that fall outside a tolerance in a programmatic way. It provides clear guidance within the organization and the mechanisms for reporting these incidents to external stakeholders, including regulators. The SEC’s mandate for reporting material cybersecurity incidents within four business days exemplifies the importance of having robust escalation and disclosure protocols.
The CRMP framework provides clear guidelines on how to establish effective risk escalation and disclosure processes. This includes defining thresholds for what constitutes a material cybersecurity risk and incident, establishing clear lines of communication within the organization, and developing protocols for timely external reporting.
A programmatic approach is critical to meet these new obligations and effectively manage risks in this digital environment. Approaches to risk management have historically revolved around a tool-based or ad-hoc risk process that would not satisfy the maturing obligations. The basis of the SolarWinds civil action can fundamentally be aligned with not having a programmatic cyber risk management program, nor outputs or reporting, escalation, and transparency that were mature enough for the services they provided and responsibilities they bore.
Implementing the CRMP framework: Steps for compliance
Building and implementing a defined cyber risk management program is a journey. Most organizations have risk tools and processes in place. Shaping these into a program takes intention and time. Here is a recommended approach for using the framework, its four core elements, and 23 supporting principles:
Initial assessment: Companies should start by conducting a thorough assessment of their current cybersecurity risk management program, including assessing if their risk practices are a program that can stand on its own, with basic policies and processes operationalized, not simply ad hoc risk tools.
Gap analysis: Compare the current cybersecurity risk management practices against these new requirements. The CRMP framework and the SEC’s new rules should be used as a baseline for consideration. Of course, identify gaps and areas needing to be developed or improved.
Framework integration: Integrate a CRMP framework into existing cybersecurity practices and other risk frameworks the organization may have in place, such as enterprise risk management (ERM) platforms, ensuring that all aspects of the SEC’s mandates are addressed. This includes establishing clear protocols for incident reporting and developing comprehensive risk management processes.
Training and awareness: Conduct training and awareness programs for all employees, especially those involved in cybersecurity and risk management. Ensure that the board and management are well informed about their roles and responsibilities under the new framework.
Continuous monitoring and improvement: Establish mechanisms for continuous monitoring and assurance of cybersecurity risk management practices, providing regular updates to the cyber risk management program, in line with the CRMP framework’s guidelines. This is separate from other cyber protection efforts. The program itself needs monitoring and third-line audit plays a critical role in this.
Documentation and reporting: Document all processes, incidents, and management actions. Prepare for annual disclosures as per SEC requirements, ensuring that all aspects of the cybersecurity risk management program are clearly articulated and transparent.
The SEC’s new rules mark a watershed moment in corporate governance, placing cybersecurity at the forefront of regulatory and investor scrutiny. The CRMP framework, with its structured and comprehensive approach to cybersecurity risk management, offers a viable solution for companies looking to comply with these new mandates.
We’re in a transformative moment, needing an intentional transformative approach. By adopting the CRMP framework, companies can not only meet their regulatory obligations and protect themselves and their executives from budding liability but also engage the security department strategically with the business as it finds an evolving balance of risk and reward in this digitized economy.