Why Independent Benchmarking Data is a Critical Part of SEC Cybersecurity Disclosure Strategy

Independent benchmarking for SEC disclosure strategy

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) voted to adopt new cybersecurity requirements for publicly traded companies. These regulations create new obligations for reporting material cybersecurity incidents and disclosing critical information related to cybersecurity risk management, expertise, and governance. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.

Many cybersecurity leaders are embracing this momentous occasion as strategic advancement to cement their critical role in the business. In the months ahead, CISOs, General Counsels, Corporate Secretaries, and Investor Relations teams will need to figure out how to effectively communicate information about their company’s cybersecurity program with shareholders and the broader market. Public companies are now taking a variety of approaches to disclosing cybersecurity information to their investors, including through an annual report (10K), annual sustainability report, annual ESG report, annual shareholder presentation, and even annual cybersecurity reports.

How can they effectively tell their company’s cybersecurity story? What data should they include? What do investors want—and need—to know?

Independent cybersecurity benchmarking results are quickly becoming one of the primary data points included in any investor disclosure.

Independent benchmarking is an objective analysis of an organization’s cybersecurity performance based on quantitative data. Independent benchmarking data is based on non-intrusive, continuous, comprehensive data collection which allows for the creation of comparable, reliable insights and metrics. Independent benchmarking allows security leaders to compare their organization’s cybersecurity performance with peers or across entire sectors and industries on an ongoing basis. This type of benchmarking helps leaders know how their programs are performing over time and whether that performance is aligned with industry standards of care.

Bitsight helps organizations perform independent benchmarking by evaluating the security performance of organizations in a continuous, non-intrusive manner. Our ratings and analytics enable business leaders to understand their organization’s security performance across 23 different risk vectors. Capabilities like Bitsight Peer Analytics allow CISOs to analyze their organization’s performance against industry and sector peers of their choosing. Bitsight delivers a quantitative, objective analysis of organizational cybersecurity performance compared to tens, hundreds, thousands, or even hundreds of thousands of peers, all immediately available. 

CISOs Guide to Cyber Risk Disclosure - SEC

This guide will help cybersecurity leaders understand the SEC regulation and get started on a journey to satisfying the requirements, meeting investor expectations, and creating a cybersecurity program that will stand the test of time.

Many companies find that publicly disclosing independent benchmarking data is a highly effective way of communicating cybersecurity performance to shareholders and the broader marketplace. This helps improve shareholder confidence and trust in their investment decisions. Some examples of disclosing benchmarking data include:

  • Equifax includes cybersecurity performance benchmarks in its Annual Security Report. Equifax focuses on its performance compared to peers in the Finance and Technology sectors. Equifax notes that its security capabilities “ranked in the top 1% of Technology companies and top 3% of Financial Services companies analyzed.”
  • Darling Ingredients leverages cybersecurity performance benchmarks in its Annual ESG Report, describing its cyber program as “being in the top 10% of the Energy/Resource Industry.” 
  • Schneider Electric includes cybersecurity performance benchmarks in its Annual Sustainability Report, describing its program as being ranked “in the Top 25% in external ratings for Cybersecurity performance.”

Other companies find that disclosing their individual security performance rating meets investor requirements. For example, DHL includes its own cybersecurity performance rating in their Annual Earnings Results presentation.

Shareholders and investors value meaningful data that helps them truly understand the risk of an organization. And organizations trust Bitsight’s data for independent benchmarking and disclosure because its analytics are strongly correlated to cybersecurity incidents. In a recent independent study by the Marsh McLennan Cyber Risk Analytics Center, a total of 14 Bitsight analytics—including the Bitsight Security Rating—were found to be strongly indicative of incident likelihood. Bitsight is still the only security ratings provider with multiple, independent third-party studies proving that its analytics have statistically significant correlation to critical outcomes, including cybersecurity incidents, data breaches, and company stock performance.

In summary, independent benchmarking data is quickly becoming a critical data point for business leaders who are evaluating their new obligations, understanding their cybersecurity programs, and crafting effective disclosure strategies. Please reach out to a Bitsight representative who can help you understand your organization’s cybersecurity performance and industry benchmarks.