5 resolutions to prepare for SEC’s new cyber disclosure rules
2023 has been marked as a year of global conflict and unrest, all of which will impact the cyber threat landscape for years to come.
However, one of the most significant cyber security developments for 2024 isn’t driven by attackers. It’s driven by regulators, law enforcement, and investors. The most notable example is the US Securities and Exchange Commission’s (SEC) new rules on cybersecurity risk management, strategy, governance and incident disclosure. Set to go into effect before the end of 2023, they will force publicly traded companies to reevaluate their security strategies.
The new disclosure rules are designed to provide investors with a greater understanding of the risks a listed company faces from cyber threats and the level of controls in place to mitigate that risk. The SEC has recognized the importance of cybersecurity risk management and is using these rules to formalize the discipline. Cybersecurity risk management will eventually rise to the same level as market risk, capital risk, and operational risk.
Here are a few 2024 resolutions to help organizations prepare for this new disclosure challenge:
Make new friends: CISOs and other technology leaders will have to strengthen relationships with the senior management team. This includes the legal department and the corporate secretary.
Why? Per the new SEC rules, companies must now report details of their cybersecurity program as part of their official corporate filings. This includes material cybersecurity incidents as well as the disclosure, on an annual basis, of a description of the company’s cybersecurity risk management, strategy, and governance practices. Material cybersecurity incidents must be reported within four days of their occurrence using the SEC Form 8-K. The details of the cybersecurity program must be included in the company’s annual report, SEC Form 10-K.
Increase focus on incident detection and response: Security monitoring must be continually enhanced to detect and block suspicious cyber activity against network, system, and application assets. A well-documented and tested incident response plan is critical to diagnosing and remediating the issue. Conducting a “lessons learned” session after an incident will improve the process. Detecting cyberattacks early will limit damage and may even prevent an attack from becoming “material.” Without active monitoring, companies may miss significant issues that should have been detected, addressed, and reported.
Commit to good cyber housekeeping: Never forget the basics of an effective cybersecurity program. Organizations should keep patches and software versions current. They should also maintain hardened configurations for all servers and network devices as well as implement endpoint protection (malicious code protection) wherever appropriate. Most important of all, they should practice the principle of least privilege, which limits user access to data and resources to the minimum required to get a job done. Access should be periodically reviewed to ensure that it is still necessary.
Deputize the company: Everyone in a company must understand the importance of complying with the new SEC rules. Failure to properly report cyber incidents can lead to heavy fines in the hundreds of millions of dollars, and even criminal charges.
Even failure to follow security practices may be considered as negligence. Organizations should use security awareness training to inform employees of these new requirements. They must stress the importance of recognizing and reporting security issues. In addition, they should consider setting up an anonymous security reporting facility to collect information from those concerned about possible repercussions.
Learn from the mistakes of others: Companies can learn a lot by researching the “big name” security breaches that have recently appeared in the news. Clorox, MGM, Caesars, and SolarWinds have had to make formal disclosures to the SEC about their cyber incidents. This information will help companies identify successful attack scenarios and learn how to prevent them.
2024 will be a year of opportunity for CISOs, as cybersecurity risk management grows in importance. Budgets will have to increase to meet this challenge. Cybersecurity risk management should be considered a cost of doing business, rather than an option that can be pushed to the side.