The SEC’s Office of Compliance Inspections and Examinations (OCIE) warned of a recent increase in the sophistication of ransomware targeting financial service providers. The OCIE issued guidance on tactics and techniques organizations can use to guard against these attacks, broken down into six key areas:
- Incident response and resiliency policies, procedures and plans,
- Operational resiliency,
- Awareness and training programs,
- Vulnerability scanning and patch management,
- Access management,
- Perimeter Security.
The SEC warning is in line with other analysis showing that the cyber breach threat to organizations has greatly increased in the wake of the COVID-19 remote work environment. The SEC is right to emphasize the specific ransomware risk, which we have written extensively about and is the attack type that is most damaging and costly for companies. The SEC’s recommendations for cyber defense and preparation are sound, and while Cyberhedge research shows that financial services is one of the top rated sectors in terms of cyber governance, many firms are still deficient in some of these basic preparations.
And while ‘recommendations’ such as these issued by the SEC are welcome, to improve cybersecurity and resiliency across the corporate sector as a whole, it is necessary for formal and standardized disclosure requirements to be implemented so that proper cybersecurity and hygiene are no longer ‘optional’. Standardized requirements would also help guide C-suites, investors and other stakeholders to better assess the cyber governance of individual companies, just as disclosure requirements with defined metrics that companies must issue for other areas such as financial or environmental impact, help those parties assess companies’ standings in those areas. Cyber is the only macro-level risk that isn’t treated like one.
And as the Cyberhedge Cyber Governance Indices clearly show, cyber governance impacts shareholder value. These indices have outperformed the overall market three years in a row, and in 2020 are beating the US and EU markets by 19% and 41% respectively