‍After cyber insurance rates skyrocketed from late 2020 to 2022, when the majority of the market had little choice but to switch to a completely remote way of working, prices have slowly started to drop. This new downward trend is promising, as organizations are increasingly searching for the most cost-effective ways to manage their cyber risks and offset potential losses.

Cybersecurity expertise is notoriously absent from the boardroom. Only last year, a market analysis found that a mere 12% of US Fortune 500 companies have a board member with adequate knowledge of cyber risk management. However, increased cybersecurity regulations, coupled with heightened cyber event costs, have begun to highlight the need to rectify this void as soon as possible.

‍After unearthing evidence as early as May 2024, cloud computing–company Snowflake released an official statement on June 2, reporting that they were investigating a series of targeted cyber events. A week later, Google's Mandiant, who, alongside Crowdstrike, is aiding Snowflake in this investigation, concluded that clients had been attacked after malicious actors had gotten access to compromised credentials.

‍Determining and disclosing impactful events has been a longstanding practice for organizations operating within the US market. As early as 1933, with the Securities Act, publicly traded businesses were required to disclose “material information” regarding their security environment, allowing shareholders to make more informed investment decisions.

In March 2022, when the not-so-new-anymore SEC cybersecurity regulations were initially drafted, some argued that smaller reporting companies, defined by having a public float of less than $250 million or an annual revenue of less than $100 million, should be exempt, given the "outsized costs" they faced. Others proposed that these smaller organizations should have a longer disclosure deadline, helping to alleviate the chances of non-compliance.

‍ ‍ ‍Private equity (PE) firms are becoming increasingly attractive targets for cybercriminals. Malicious actors are keen to capitalize on the ecosystem's access to an incredibly extensive and diverse array of sensitive data, particularly susceptible during and after M&As, as well as the notoriously low cybersecurity measures in place among the smaller businesses that some PE firms chose to hold.

Successful entrepreneurs all have one thing in common: they know how to manage business risks effectively, even as they evolve. Since the inception of the modern marketplace, and arguably before, innovative leaders have been able to assess their organizations' internal and external vulnerabilities and develop mitigation strategies accordingly.

‍Since the SEC's latest cybersecurity regulations went into effect, thousands of companies have already been compelled to submit their annual Form 10-K with the novel Item 1C. Similarly, dozens of organizations have filed updated Form 8-Ks to disclose cybersecurity incidents. Slowly but surely, these public reports are helping investors become more aware of the intrinsic relationship between cyber risk and market value.