The SEC's new rule requires public companies to report material cybersecurity incidents within four business days after determining that an event has occurred. Many organizations ignored the topic when discussions about cybersecurity came up, but as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators. But changes are coming to the rules of the Securities and Exchange Commission that will bring new standards for communicating the security position at most businesses.
In early 2022, the SEC proposed to amend its cybersecurity rules that set out new ways to report and disclose security incidents. The SEC claims it wants to better inform investors about organizations’ risk management strategy and cyber governance, but the proposal can feel like yet another regulatory workload to some organizations.[1]
To understand the 129-page proposal, it helps to break it down into the three main aspects it covers:
See: https://www.sec.gov/files/33-11038-fact-sheet.pdf
- Governance: The rules require transparency in how organizations invest and prioritize cybersecurity among their business functions. It requires disclosure of the cybersecurity expertise within the board of directors so that investors can conclude the priority level cybersecurity has in that organization and the board’s ability to guide the CIO, CISO, and other security stakeholders.
- Risk Management: Investors today have no point of reference to establish cyber risk as a data point when evaluating companies to invest in, so the requirement to report cybersecurity risk strategy and governance can add value to those companies that have strong policies and procedures for cyber risk management. The companies that lag would do well to invest in improving their cyber risk management program.
- Cybersecurity Incidents: Under the new rules, organizations would have to report to the SEC cybersecurity incidents that are material to their operating results and offer updates on previous incidents. Reporting a hack can risk a company’s reputation, stock price, and more, but how it’s handled can also help those factors. Many incidents are reported even if the organization wants to keep them quiet, so this requirement is not too onerous. Still, it becomes a proactive task that companies should invest in to ensure their disclosure strategy is ready, just in case.
- A few simple steps can make sure your organization is prepared for the new requirements or can be ready before the next quarterly report:
- Assess cybersecurity’s priority: The new requirements are meant to give investors an idea of where cybersecurity lands on the to-do list of an organization. Look at the board's makeup to see where cybersecurity experience sits or if there is a need to get ready for the new requirements. Additionally, investing in that expertise adds value by improving the organization’s resiliency.
- Assess your risk management approach: Find out what cybersecurity policies and procedures guide workflows because it’s not only good for reducing risk but showing continuous improvement will become a metric investors will want to see. Knowing the cybersecurity policies and procedures in place and showing that investments are being made to minimize risk signals the priority of cybersecurity in an organization.
- Assess your incident response program: As the trope goes: there are two types of organizations—those that have been hacked and those that don’t know yet. With this in mind, organizations can invest in building a proactive incident response program. Having a plan with playbooks for different instances and drafted disclosure statements can relieve the crunch of crisis management. Doing this ahead of the SEC requirement will help the organization respond better when an incident occurs.
- Establish a level of confidence: One of the keys to the SEC's proposed rules is the ability to quantify the success of an organization’s cybersecurity strategy--its risk management, incident response, and overall governance. Investments in tools and solutions that can give some reassurance of a level of risk management execution are better proof points for investors than written policies or incident workbooks.
- Security incidents are a fact of business life today, but an organization’s incident response and handling of disclosures can make a big difference. The new SEC requirements are putting on paper what many public and private companies should have already been investing in.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.securityweek.com/how-prepare-new-sec-cybersecurity-disclosure-requirements
Comments