Thu, Sep 21, 2023

How Boards Can Address the Security Risks of Over-Confidence

Over-confidence can be costly, and that is especially true in the cybersecurity space. The current landscape of cybersecurity risk, and new rules from the U.S. Securities and Exchange Commission (SEC) on reporting have created an environment where companies need to be sure to test their response capabilities – and not risk letting them stagnate.

Over-confidence was identified as a major risk factor in organizations’ approach to cybersecurity in Kroll’s, The State of Cyber Defense 2023 report. Responses from 1,000 senior security decision-makers globally show that confidence in employees to stop a cyberattack is ranked higher (66%) than trust in the accuracy of data alerts (59%) and the effectiveness of cybersecurity tools and technologies (56%).

Added to this, the 2022 Kroll report, Cyber Risk and CFOs: Over-Confidence is Costly, highlights a sharp disconnect between CFOs’ high levels of confidence in their organizations’ cybersecurity abilities and the significant level of damage inflicted by cyber incidents. The report revealed that, while 87% of CFOs surveyed were overwhelmingly confident in their company’s ability to detect and respond to cyber incidents, most of the surveyed executives (61%) said that their businesses had suffered at least three significant cyber incidents in the past 18 months. This type of organizational cognitive dissonance can have significant consequences for businesses.

State of Cyber Defense

Most Trusted Methods by IT and Security Decision-makers

Within Four Days: A Major Challenge for Corporations

An excess of confidence in cybersecurity measures is not only a failure of organizational culture but a threat to business-as-usual. The risks are even greater due to the new SEC rule that marks a significant shift in how cyber breaches must be disclosed. Publicly traded companies will be required to publicize details of a cyberattack within four days of determining it is significant enough to have a material impact on the organization. It is vital that directors and boards do not simply focus on the short reporting period, but on what they need to do to prepare to meet the new requirements. 

The assessment of ‘material’ is the key in this context. It implies that organizations can quickly, accurately and reliably assess the materiality of a cyber-incident in the moment. Yet that’s not necessarily easy. In the critical early hours of an incident there may be limited information on which organizations can base a materiality assessment, making the decision on reporting may be problematic. The short time-frame for required reporting means that businesses don’t have a lot of time to figure out what they’re going to do in response to a potential or actual incident. Without the relevant pre-authorized resources to support them, they may very quickly find themselves in trouble.

An Opportunity for Progress

Download the Report

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

At a time of evolving threats and complex security demands, the change to the SEC reporting rule puts more pressure on already squeezed company boards. However, it also presents a valuable opportunity for organizations to reset their approach, away from over-reliance on well-worn, familiar ways of working.

By embracing the new rule as an opportunity to update their cyber strategy and collaborate with proven security partners, boards can better mitigate the threat of organizational over-confidence.

To learn more, download The State of Cyber Defense 2023: The False-Positive of Trust.


Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.


Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.


24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.