Company

We’re empowering businesses to become stronger, more adaptable, and resilient.

PRESS RELEASE
ISS-Corporate Approved as External Reviewer Under the European Union Green Bond Regulation 
Solutions

Explore our suite of solutions that help businesses make informed decisions that meet the demands of the market and strengthen their organizations.

Corporate Governance

Utilize our data-driven platform to develop and manage a governance program that helps you respond to the demands of the market and your shareholders.

Executive Compensation

Take a research-backed approach to designing and monitoring executive compensation to show that your pay is aligned to performance.

Corporate Sustainability

Approach sustainability management and reporting with developed, targeted methods, and inform stakeholders and regulators of your progress.

Sustainable Finance

Get an independent, outside-in assessment of your sustainable finance offerings, ensuring they meet the highest standards demanded by the market.

Cyber Risk

Get an outside-in view of your cyber security posture so you can better identify and mitigate your cyber risk exposure.

Strategic Partnerships

Access the essential tools to inform corporate client strategies.

Resources

Explore the latest trends and practices in corporate governance, compensation, sustainability, and cyber risk.

FEATURING
Cyber Risk Benchmarking for SEC-Ready Oversight

  • Company

  • Solutions

    For Advisory Firms

  • Resources

    •
    Cyber Risk

    Cyber Risk Benchmarking for SEC-Ready Oversight

    • 7 min read
    Cyber Risk Benchmarking for SEC-Ready Oversight

    SEC cyber disclosure rules are reshaping board accountability. Learn how peer benchmarking brings context and defensibility to cyber risk oversight and why it’s becoming essential for governance.

    The cybersecurity disclosure rules issued by the U.S. Securities and Exchange Commission (SEC) in 2023 marked a turning point in how organizations approach cyber risk governance. By requiring public companies to not only disclose material cyber incidents, but to also describe the way they oversee and manage cyber risk, the SEC effectively elevated cybersecurity from a technical concern to a matter of formal accountability for corporate leadership and board members.

    In this new environment, directors and executive teams need to address a new question: How do we demonstrate that our oversight of cyber risk is informed, rigorous, and defensible?

    Peer benchmarking has emerged as a critical part of the answer. When done well, benchmarking provides an empirically grounded framework for assessing cybersecurity performance and setting a course for what the firm needs to do next.

    Learn how ISS-Corporate can help you establish a meaningful benchmarking program for cyber risk »

    While the SEC rules only require firms to describe what they do rather than requiring them to take any specific action, the fact that something must be disclosed has helped companies see the value in disclosing something meaningful and prompted executives and boards to assess their actions in a more rigorous way.

    Why Cyber Risk Benchmarking Matters Under SEC Rules

    This post explores how peer benchmarking supports effective cyber risk oversight across four key dimensions: risk understanding, capital allocation, stakeholder communication, and independent validation. Key to all these dimensions is the veracity of the benchmark, so we won’t leave off until we have tackled that topic as well.

    Using benchmarking to strengthen cyber risk understanding

    Under the SEC rules companies always have the option of disclosing that they are doing very little; but this would hardly be reassuring to investors or the public. The simplicity of the SEC’s disclosure rules creates a compelling rationale for disclosing a substantive oversight process, and a company can’t disclose a substantive process unless it has one.  Peer benchmarking plays a central role in meeting the expectations that are emerging as a result of this very simple disclosure framework.  In order to effectively oversee cyber risks, you need to know from where you are starting, your rate and direction of change, and where your efforts ought to take you.

    Cybersecurity metrics, when viewed in isolation, are often difficult to interpret.  Vulnerability backlog metrics, defect closure rates, and patching cadence offer limited insight without context. Benchmarking addresses this by placing performance in a relative, peer-based framework.

    Abstract questions such as “are we secure?” are not really answerable.  Instead, organizations need to ask:

      • How do we rank relative to similarly situated firms?
      • Where do we materially lag or lead?
      • Are we progressing quickly enough?
      • Which gaps are most relevant to real-world incident risk?

    This comparative view is particularly valuable in light of increasing disclosure scrutiny. It demonstrates that management is not assessing cyber risk in a vacuum, but rather in the context of observable market norms and security realities.

    Aligning capital allocation with measurable risk

    The SEC framework implicitly (rather than expressly) raises the bar for accountability. If a material cyber incident occurs, boards and management teams may be asked—by regulators, investors, or litigants—why certain cybersecurity investment decisions were made. Peer benchmarking provides a foundation to defend these decisions.

    By identifying whether and where an organization underperforms its peers—especially in control areas linked to higher incident likelihood—benchmarking highlights where incremental investment is most likely to reduce risk. Conversely, it can reveal areas of relative strength, where additional spending may yield only marginal benefit.

    Benchmarking allows organizations to anchor budget decisions in market-relevant data:

      • Investments can be directed toward control domains with demonstrated impact on incident outcomes
      • Overspending on low-impact areas can be avoided
      • Trade-offs can be explained in terms of comparative risk reduction

    Armed with this information, boards and executive teams can be more assured that they are allocating capital wisely and will be seen to be making informed decisions.

    Framing cyber risk for effective board and stakeholder communication

    Again, without explicitly requiring it, the SEC rules have significantly increased the need for clear communication around cybersecurity at the board and executive level. Technical detail alone is no longer sufficient; the market now expects disclosures that reflect coherent oversight and informed judgment.

    Peer benchmarking provides an effective bridge between technical measurement and strategic communication. While the level of cyber expertise is improving, the reality is that most corporate leadership and board members are not and will never be technical cyber experts. Communicating with them in an understandable way that provides decision-useful risk context is therefore an imperative.

    Relative performance indicators—such as percentile rankings, quartile positioning, and deviation from peer medians—are intuitively understood by non-technical audiences. They allow boards to quickly grasp:

      • Whether the organization is ahead of or behind peers
      • Where the most significant risk exposures lie
      • How performance is trending over time

    Benchmarking aligns cybersecurity reporting with familiar governance practices used in other domains, such as financial performance. This consistency enhances board engagement and facilitates more informed oversight discussions.

    Independent second opinion as a foundation for stronger oversight

    The SEC’s focus on governance processes implicitly raises expectations around independence and objectivity in cyber risk assessment. Organizations should be able to demonstrate that their evaluations are not solely reliant on internal perspectives, hobbled by groupthink, or constrained by happy-path analyses. Peer benchmarking serves as a form of independent, data-driven validation. While internal security teams and their external consultants play critical roles, their assessments can be limited by methodology, scope, or institutional bias. Empirical benchmarking introduces an external reference point that answers a key governance question: How does our cybersecurity risk stack-up when viewed through an objective, market-based lens?

    ISS-Corporate has previously linked this concept to “defensive diligence”—the idea that organizations can reduce liability exposure by demonstrating that their decisions were informed by credible, third-party data. Benchmarking strengthens this posture by showing that:

      • Risk assessments were grounded in external evidence
      • Performance was evaluated relative to peers
      • Strategic decisions reflected market-informed realities

    In the context of SEC disclosures, this type of independent validation can be particularly valuable in demonstrating that cybersecurity oversight processes are robust and well-founded.

    What Makes Cyber Risk Benchmarking Defensible

    While the SEC rules around cyber oversight disclosure require very little, in practice, they imply much more. Risk oversight requires risk awareness.  A sober, and therefore useful, assessment of risk requires a degree of independence and metrics that are empirically defensible.

    Not all benchmarking approaches meet this standard. Many rely on subjective maturity assessments, self-reported surveys, or opinion-based scoring systems. While these may offer directional insights, they lack the rigor required for high-stakes governance and disclosure.

    Empirically defensible benchmarks, by contrast, are built on:

      • Large-scale datasets of observed cyber incidents
      • Statistical analyses linking technical measurements to incident frequency and severity
      • Objective, repeatable measurement methodologies demonstrably correlated with incident outcomes

    This distinction matters for several reasons. Metrics with demonstrated correlation to loss events provide clearer guidance on where interventions will have the greatest impact, and where they are even needed. Empirically-grounded metrics provide a sound basis for organizations to understand how well they are performing, where they may have gaps, and in which direction they are moving. Use of empirical data enables executive leadership and boards of directors to make better decisions and then defend them with evidence.

    In short, empirically grounded benchmarking transforms oversight from a discipline built on layered assumptions into a measurable, defensible, and market-relevant system of guidance for those tasked with managing risks on the ground. Ultimately, this helps companies manage risk in a way that brings more meaning and value to what the SEC was aiming to achieve with its disclosure rules in the first place.

    Learn how ISS-Corporate can help you establish a meaningful benchmarking program for cyber risk »

    Authors:

    • Douglas Clare

      Head of Cyber Risk Services