A Universal Model for Assessing Cyber Risk Part 2: Following the Path of Financial Governance
In part 1 we examined how the increasing incidence of cyber breaches is bringing significant pressure on corporate directors to assume more oversight of cyber risk. In part 2 we contrast the rise of cybergovernance (cybersecurity governance) with the history of financial governance following the passage of the Sarbanes-Oxley Act.
In the early 2000’s a series of breathtaking corporate financial scandals that resulted in sharp declines in the value of technology stocks made huge headlines. A rash of fraud incidents by officers of highly valued companies (e.g., Enron, Worldcom, Tyco International, Peregrine Systems) received extensive publicity. As a result, the world discovered the astounding lack of credible controls on financial operations and reporting within many organizations. Waning public and investor confidence in a handful of offending companies threatened to broaden into a deep and lasting loss affecting the U.S. economy.
That threat motivated Congress to act. They began searching for a way to mitigate the risk caused by loose financial reporting, and the result was passage of the Sarbanes-Oxley Act in 2002 by the Senate Banking Committee. It dealt with many issues, including conflicts of interest involving auditors and financial analysts, sloppy banking practices, and executive compensation based upon questionable measures of financial performance.
As companies struggled to react to and comply with the new financial regulations, software and services solutions emerged to ease compliance with the new regulations. Eventually a new financial governance market came to be known as Governance, Risk, and Compliance, or GRC. Since 2002, the market has grown rapidly until reaching an estimated $5-7 billion in 2015 (see figure). A need for clear standards led to the development of new benchmarks and frameworks for evaluating the value of companies based upon certified financial statements required by Sarbanes-Oxley.
As pressure on corporate boards to provide better oversight of cybersecurity readiness grows, some say that this new cybergovernance requirement is merely an extension of the financial governance space. Their argument suggests that cybersecurity risk is simply another form of financial risk, and applying existing legislation and standards will be adequate to address it. While exploiting existing risk management systems seems like an efficient method for dealing with emerging cyber issues, the reality is that financial governance and cybergovernance are different in fundamental ways. Combining them would result in cyber risk blind spots. While it is tempting to add window dressing for cyber risk to financial governance, this solution is inadequate to address the significant threat that cyberattacks represent.
While the sheer magnitude of cyber risk demands a separate board focus, the differences between financial governance and cybergovernance are qualitative as well as quantitative. Financial governance is driven by the internal threat of poor financial accountability and its effect on company valuation. In contrast, the threat to company valuation caused by cybersecurity vulnerabilities is external.
Cybergovernance is likely to follow a path similar to that followed by financial governance over the last decade or so. Just as highly publicized fraud cases drove changes in financial reporting over a decade ago, now a rash of highly publicized breaches is instigating the rise of cybergovernance. The loss of public and investor confidence due to financial risk propelled the quest for a legislative solution and the passing of Sarbanes-Oxley; the loss of public and investor confidence resulting from cyberattacks is fueling efforts to mitigate cyber risk.
An inevitable move toward legislative measures has begun, with a number of bills having been recently introduced in Congress. Fifteen years ago, as a response to the financial governance crisis was unfolding, the focus of government action was the Senate Banking Committee. Today, calls for better cybergovernance are coming from the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Financial Industry Regulatory Authority (FINRA), and other agencies tasked with protection of investors and consumers.
Conversations with experienced congressional observers make it realistic to expect the passing of a significant piece of cybersecurity legislation in the next 18 months or so. When that happens, the need for a common view of cybergovernance will become more obvious both to the insurers and insureds.