What Is Operational Risk and Why Should You Care? Assessing SEC Rule Readiness for OT and IoT

The newly released SEC cyber incident disclosure rules have raised concerns about whether public companies are prepared to fully define operational risk and disclose material business risk from cyber incidents. The rules require companies to disclose cybersecurity incidents within four business days and annually disclose their cybersecurity risk management strategy. Operational risk refers to situations that cause loss of control or view over connected processes, leading to downtime and financial costs. Companies need to understand operational risk, evaluate their OT/IoT assets, and incorporate assessments into reporting requirements. The reactive nature of cybersecurity has led to risk avoidance, but the SEC rule requires organizations to report on how they mitigate material risk. Lack of visibility into OT and IoT systems allows accidents and longer dwell time for threat actors. Incidents in OT networks can have high-consequence impacts, and companies need to answer key questions about their systems, threat landscape, vulnerabilities, and existing security controls.