McKinsey Releases Report Covering Updates to Corporate Cybersecurity Reporting and Transparency

McKinsey & Co. released a report titled, “Cybersecurity legislation: Preparing for increased reporting and transparency” which details ways companies can segment their preparation into stages and take both short- and long-term actions to increase preparedness in order to be in compliance with new US regulations. There are two regulations likely to have an impact on multiple industries. First, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, will require critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). In addition, the SEC proposed a rule requiring publicly listed companies to report to the SEC cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight. The report highlights that in 2021, “the FBI received the highest number of cybercrime complaints and reported total losses in history—nearly 850,000 complaints reflecting more than $6.9 billion in losses.” The report further adds that this may only represent a small portion of crimes, as many cyber crimes often go unreported. This can be due to victims not recognizing they were a victim, reputational concerns or the potential for customer or investor backlash, and/or companies determine that paying a ransom would be an easier or faster path to resolution. These responses may not be viable, however, under CIRCIA and the SEC’s planned cyber-disclosure rule for registered companies. According to the report. companies can move towards compliance with these new regulations with a three-stage approach of determining baseline capabilities, identifying gaps to meet reporting requirements, and developing a road map to fill existing gaps.