How Boards Can Address the Security Risks of Over-Confidence

September 21, 2023

Over-confidence can be costly, and that is especially true in the cybersecurity space. The current landscape of cybersecurity risk, and new rules from the U.S. Securities and Exchange Commission (SEC) on reporting have created an environment where companies need to be sure to test their response capabilities – and not risk letting them stagnate.

Over-confidence was identified as a major risk factor in organizations’ approach to cybersecurity in Kroll’s, The State of Cyber Defense 2023 report. Responses from 1,000 senior security decision-makers globally show that confidence in employees to stop a cyberattack is ranked higher (66%) than trust in the accuracy of data alerts (59%) and the effectiveness of cybersecurity tools and technologies (56%).

Added to this, the 2022 Kroll report, Cyber Risk and CFOs: Over-Confidence is Costly, highlights a sharp disconnect between CFOs’ high levels of confidence in their organizations’ cybersecurity abilities and the significant level of damage inflicted by cyber incidents. The report revealed that, while 87% of CFOs surveyed were overwhelmingly confident in their company’s ability to detect and respond to cyber incidents, most of the surveyed executives (61%) said that their businesses had suffered at least three significant cyber incidents in the past 18 months. This type of organizational cognitive dissonance can have significant consequences for businesses.

State of Cyber Defense

Most Trusted Methods by IT and Security Decision-makers

Within Four Days: A Major Challenge for Corporations

An excess of confidence in cybersecurity measures is not only a failure of organizational culture but a threat to business-as-usual. The risks are even greater due to the new SEC rule that marks a significant shift in how cyber breaches must be disclosed. Publicly traded companies will be required to publicize details of a cyberattack within four days of determining it is significant enough to have a material impact on the organization. It is vital that directors and boards do not simply focus on the short reporting period, but on what they need to do to prepare to meet the new requirements.

The assessment of ‘material’ is the key in this context. It implies that organizations can quickly, accurately and reliably assess the materiality of a cyber-incident in the moment. Yet that’s not necessarily easy. In the critical early hours of an incident there may be limited information on which organizations can base a materiality assessment, making the decision on reporting may be problematic. The short time-frame for required reporting means that businesses don’t have a lot of time to figure out what they’re going to do in response to a potential or actual incident. Without the relevant pre-authorized resources to support them, they may very quickly find themselves in trouble.

Moving from Over-Confidence to Assurance: Key Recommendations
There are a number of steps companies can take to address the potential pitfalls of over-confidence while developing an effective response to the new SEC breach reporting rules. These include: Assess Your Cyber Insurance Policy: Organizations should make the most of the fact that virtually all cyber-insurers have “panels” of experts available for policyholders to use. These vendors are pre-approved by the insurer, and may even offer specially negotiated rates. However, be aware that every hour used to qualify or negotiate with vendors is one less hour available to determine whether you are dealing with a material incident, and exactly what you need to report. Review and Test Your Strategy Ahead of Time: Take the change in the rules as a call for action, even if you have never had an incident. Ensure that as a board, you review and test the strategy through which your organization intends to meet the new requirements. Establish an Incident Response Program: Boards cannot afford to wait for an incident to ensure that they can comply with the new rules. Since no organization is immune to a material cyber-incident, they need to be prepared with a strong incident response plan that has been extensively practiced, with multiple scenarios and table-top exercises. Nurture Communication Across Infosec, Legal and Senior Management Teams: Breaches can damage a company’s business and create financial and legal risks, so organizations should seek support from legal counsel early on. However, the involvement of legal stakeholders remains a grey area for many organizations. In the Kroll report, The State of Incident Response 2021, almost half of security leaders surveyed stated that their teams lack clarity about when to engage legal counsel about a potential incident. Effective communication and cooperation between your information security, legal and senior management teams is critical to your long-term security.

Moving from Over-Confidence to Assurance: Key Recommendations

There are a number of steps companies can take to address the potential pitfalls of over-confidence while developing an effective response to the new SEC breach reporting rules. These include:

Assess Your Cyber Insurance Policy: Organizations should make the most of the fact that virtually all cyber-insurers have “panels” of experts available for policyholders to use. These vendors are pre-approved by the insurer, and may even offer specially negotiated rates. However, be aware that every hour used to qualify or negotiate with vendors is one less hour available to determine whether you are dealing with a material incident, and exactly what you need to report.
Review and Test Your Strategy Ahead of Time: Take the change in the rules as a call for action, even if you have never had an incident. Ensure that as a board, you review and test the strategy through which your organization intends to meet the new requirements.
Establish an Incident Response Program: Boards cannot afford to wait for an incident to ensure that they can comply with the new rules. Since no organization is immune to a material cyber-incident, they need to be prepared with a strong incident response plan that has been extensively practiced, with multiple scenarios and table-top exercises.
Nurture Communication Across Infosec, Legal and Senior Management Teams: Breaches can damage a company’s business and create financial and legal risks, so organizations should seek support from legal counsel early on. However, the involvement of legal stakeholders remains a grey area for many organizations. In the Kroll report, The State of Incident Response 2021, almost half of security leaders surveyed stated that their teams lack clarity about when to engage legal counsel about a potential incident. Effective communication and cooperation between your information security, legal and senior management teams is critical to your long-term security.

An Opportunity for Progress

At a time of evolving threats and complex security demands, the change to the SEC reporting rule puts more pressure on already squeezed company boards. However, it also presents a valuable opportunity for organizations to reset their approach, away from over-reliance on well-worn, familiar ways of working.

By embracing the new rule as an opportunity to update their cyber strategy and collaborate with proven security partners, boards can better mitigate the threat of organizational over-confidence.

To learn more, download The State of Cyber Defense 2023: The False-Positive of Trust.

Download the Report

I would like to receive invitations, insights and thought leadership content from Kroll.

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident response, regulatory compliance, financial crime and due diligence engagements to make our clients more cyber resilient.

Learn More

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn More

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Learn More

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Learn More

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Learn More

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn More

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Learn More

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Learn More