When Big Tech CEOs testified on Capitol Hill last year, plenty of senior members became memes for their seeming failure to grasp the basics of the Internet and social media. But while some questions were inelegant, make no mistake — Congress is paying increasing attention to tech and cybersecurity.
We see this with the new House Democratic majority, who made cybersecurity a priority in their top legislative package, H.R. 1. While the focus is on election security, the inclusion of cybersecurity in this bill highlights how anxieties around tech have gone from the fringes to the mainstream in the past two years. And concerns about Big Tech are not limited to Democrats, making the protection of user data a rare area of bipartisan agreement. For those companies that feel they dodged a bullet when GDPR went into force last year, a law like that could arrive at the federal level in this Congress or the next one.
What does the “techlash” on Capitol Hill mean for non-FAANG companies? Along with a focus on social media and the privacy of user data will come an increased scrutiny of corporate cybersecurity practices… and increasingly little patience for breaches. In other words, be prepared to spend more time getting your cybersecurity house in order, because the federal government is slowly-but-surely turning its attention your way.
This has already started happening. Last February, the SEC updated its Interpretive Guidance on how public companies should disclose cybersecurity risk. Working from the idea that public companies should disclose meaningful incidents in a timely way, the SEC said companies must have a methodology to manage and disclose the risks that led to those incidents. And to do that, companies need a surveillance program for monitoring the risks they face.
Public companies considering an acquisition aren’t excused from this requirement. They must also follow through on the task of building a meaningful cyber risk management system outlined by the SEC for the potential acquired property. If a public company is considering an acquisition the SEC’s guidance dictates the parties should do an analysis to reveal these potential sources of concern.
To do that, companies need a system designed to measure risk. Right now, business leaders often aren’t getting this type of actionable information from their current cybersecurity program. They may hear about controls, compliance and possibly some risk information on a stoplight chart basis (what is a yellow risk worth?), but that reporting does not identify what the risks are worth, nor how much the cybersecurity program is driving those risks down.
Measuring risk means reviewing the impact and likelihood of potential incidents and doing the detailed work of understanding what could go wrong. The Factor Analysis of Information Risk (FAIR) standard is an excellent approach to estimating problems the can arise in these transactions. And for companies that may seek to enter equity markets in the future, having this process already in place will help to avoid a need to catch up in the future.
Because Congress is coming.
Want to know how to use FAIR to address your SEC disclosure requirements? Click here to schedule a fifteen-minute call with Foresight Resilience Strategies to learn more.