The US Securities and Exchange Commission (SEC) in 2023 requires corporate boards to improve their cybersecurity act and increase transparency by disclosing cybersecurity incidents with full details to the SEC and investors within four (4) business days.
In addition to reporting there was an incident, publicly traded corporations must identify who on their board or which subcommittee is responsible for cybersecurity and their relevant expertise. Adding to the growing importance of the CISO role, required disclosures will also include how often and by which processes board members are informed of and discuss cyber risk.
The new notice of proposed rulemaking was published by the Office of Management and Budget's Office of Information and Regulatory Affairs as part of the SEC's rulemaking agenda. It will include finalizing two sets of cybersecurity rules proposed in 2022 that increase requirements for SEC-regulated public companies, broker-dealers, funds, investment advisors, self-regulatory organizations (SROs), and others.
When finalized, the rules will go a bit deeper than simply identifying who on the board is responsible and who was informed of corporate cybersecurity procedures. For instance, registered investment advisors (RIAs) and funds must adopt cybersecurity policies and procedures, conduct documented risk assessments, implement access controls, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents. Covered RIAs and funds will be required to report cybersecurity incidents within 36 hours.
According to the Co-Chair of the Data Privacy and Cybersecurity Practice at Spencer Fane, LLP https://www.spencerfane.com: "While this is an oversimplification of all of the requirements and nuances of the forthcoming SEC rules, the SEC's objectives are to require companies to provide meaningful and actionable information to shareholders to understand better companies' cyber risks and how companies are managing and responding to them. From a very high level, this can be broken down into two categories of what companies want to see companies disclose information about: proactive cyber risk governance and risk management, and reactive incident response and reporting."
The new rules show the increasing importance of the CISO's role, particularly regarding communication with the board.
According to a leading Cyber Attorney and Global Leader of the Privacy Practice Group at Ocotillo Law https://octillolaw.com: "The proposed SEC rules are just another in a long trend of regulators increasingly focusing on cybersecurity across industries and businesses. With these new rules, the SEC is taking a step to elevate cyber to the board level, requiring boards to disclose any cybersecurity expertise on the board and the company's cybersecurity risk management and governance practices. Finally, the period to disclose 'material' breaches will last four days. All of this combines to add heightened visibility, and oversight, into companies and their compliance practices. How this will impact publicly traded companies, and how the SEC will enforce these rules, will be key for all businesses to watch to influence their approach to cyber within their operations."
Spencer Fane agrees: "On the proactive side, companies need to disclose their policies and procedures to identify and manage cyber risks, management's role in implementing such policies and procedures, and the Board of Directors cybersecurity expertise and its oversight over cyber risk. This latter sentence can mean either who on the Board has cyber expertise or, how great of a role the CISO has directly with the Board that is, does the CISO finally have a seat at the parents' table?" The differentiator of the new rule is that it is not based upon a privacy breach but a "material cybersecurity incident" that might affect the business and its investors. "On the reactive side, companies are required to disclose to their shareholders when there is a 'material cybersecurity incident,' which may or may not constitute an otherwise reportable event under the various privacy-based breach notification laws," he said. “The point of this requirement is to let the investing public know about cyber events that will impact the company so that they can be informed and consider them."
The SEC's latest rulemaking agenda, released by the Office of Management and Budget's Office of Information and Regulatory Affairs, shows a few items specifically targeting cybersecurity-related issues. Since the SEC wants to name responsible parties publicly after cyber breaches, it is up to the board members of all organizations to take steps and adopt procedures to protect themselves from cyberattacks.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement a 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500-1,500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.
- The responsible BoD member can also receive these daily cyber threat notifications to ensure that he/she is informed daily of cyber threats against their organization.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments