Know the Risks: Managing SEC Cybersecurity Disclosures
Welcome to the new EY series titled “Know the Risks” – a question-and-answer series exploring hot-topic areas in consumer products and retail. We will periodically share perspectives on hot topics, the risks generated and potential actions for companies to take to mitigate the risk. Through greater awareness, companies can proactively manage emerging risks to drive greater opportunity.
With October being Cybersecurity Awareness Month, and given the recent release of the SEC Cyber Disclosure rules, our first topic is Cybersecurity and protecting consumer data as seen by EY Americas Consumer Cybersecurity Leader Brian Wilkinson .
In the current environment, what are you seeing as the most pressing issues for retailers and brands in cybersecurity?
Brian: The newly released SEC Cyber Disclosure rules are generating a lot of discussion in the sector, and for good reason. While the rules themselves are fairly straightforward, there are broader questions that companies need to consider, such as: How does a breach affect our brand reputation and impact our materiality decision? Are executive leadership and the board comfortable with our current cyber risk management process? How do we know that we will continue to follow the risk management process provided in our disclosure?
Companies are also under large budget pressure, and the cyber function is not exempt. Many companies are looking for ways to optimize their cyber spend by reducing the number of single-product vendors and leveraging platforms, that they may already own but have not fully deployed. They are also looking at how to best leverage managed services to enhance their security posture in areas where it is hard to recruit and retain talent.
Several high-impact breaches of third parties are also driving an increased focus on Third-Party Risk Management (TPRM) programs. Companies are evaluating the effectiveness of their programs and are considering expanding the programs to cover additional third parties that support critical business processes. Many of these third parties have not fallen under traditional TPRM security assessments that were focused on parties with access to sensitive data or the corporate network.
How can retailers and brands take advantage of the near-term opportunities to create stakeholder value?
Brian: With the new SEC Cyber Disclosure rules, it is a good time for companies to re-evaluate how they are assessing and managing cyber risk. Many times, this responsibility falls solely on the Chief Information Security Officer, but I think a collaborative approach that includes Enterprise Risk and Internal Audit may provide a more comprehensive solution that better protects the company and shareholders.
Companies can also differentiate themselves by the trust and transparency they provide to their end consumers. With the increasing amount of personal information that companies are collecting, consumers want to interact with companies that are transparent on how their information will be used and that trust that their data will be protected. Companies should ensure that cybersecurity is not just a back-office function, but one that can be seen and understood by their consumers to build and maintain that trust.
The EY Future Consumer Index indicates that 53% of those surveyed are very concerned about data security/breaches. What does this mean for retailers and brands in the context of increasing use of digital technology by consumers? (How consumers rely on technology but don’t trust it | EY — Global | EY - Global)
Brian: Companies are now engaging consumers on a variety of digital channels, and that will continue to accelerate with Generative AI and other emerging technologies. In fact, our latest Cybersecurity Leadership Insights Study shows that only 46% of cybersecurity leaders are well positioned to take on the cyber threats of tomorrow. Because of the pace of digital change and to protect the trust that the consumer is placing in the company, security and privacy teams need to be brought in at the early stages of initiatives. It is no longer feasible to do a security or privacy check just before a new project is launched; they need to be embedded throughout the process. Additionally, cybersecurity leaders need to move away from being “tech” focused and understand the business issues and strategy, as well as be a partner to other executives to deliver against the strategy while protecting the consumer’s trust.
Recommended by LinkedIn
My take:
What's the risk?
The building of data repositories to be mined for consumer insights is on the rise. The future is digital, and data insights are at the heart of driving a competitive advantage. Yet, consumers remain wary of sharing their prized information. With greater clarity and faster disclosures of cybersecurity breaches comes increased transparency for the consumer as to how well their data is being protected. Companies are forced to manage the balance between required disclosures and consumer concerns over data security.
What's the action?
Enhancing the processes and controls around cybersecurity program management and third-party risk management can create a more secure environment and generate more consumer trust. Additionally, companies can proactively link the enterprise-wide risk of cybersecurity to management action plans, which may include executing regular tabletop exercises to demonstrate their preparedness for the next attack or conducting internal audits of the maturity of the cybersecurity program to identify where continued focus is needed. It is also important to continue to analyze company vulnerabilities through attack-and-penetration reviews to close the pathways into your high-value assets.
For more from the EY Risk and Cybersecurity practices, please check out the following:
The views reflected in this article are the views of the author(s) and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.
Americas Deputy Managing Principal & COO
1yInformative Q & A session! Protecting consumer data is not only a legal responsibility but a fundamental component of building trust with customers and maintaining a competitive edge in today's digital landscape.