Managing Director & Founder of AllegisCyber Capital
getty
In March of this year, the Securities and Exchange Commission (SEC) proposed a set of rules and amendments that they hope will bolster the financial sector’s defense against cyberattacks. They aim to standardize disclosures of material cybersecurity incidents and improve visibility into a company’s cybersecurity risk management and governance policies to better inform investors.
The first part of the proposal covers cybersecurity incident disclosure and would amend Form 8-K to require a company to notify shareholders and the SEC when an unscheduled material event such as a data breach takes place within four days of material determination. It’s important to note here that “material determination” as stated leaves the door wide open for the subjective interpretation as to what is, and what is not, material for the purpose of disclosure.
The second part of the proposal is new reporting requirements on a company’s Form 10-K. It’d require them to include cybersecurity risk management and strategy, governance policies and procedures, management and the board of directors’ roles and responsibilities in implementing and overseeing them, as well as an amendment on Item 407 of Regulation S-K to disclose the cybersecurity expertise, if any, of the company’s board members.
Let’s look at how companies can begin preparing to meet these new requirements.
While the incident disclosure portion of the SEC’s proposed rules has caught the most attention, the new reporting requirements on the board of directors’ role in cyber risk strategy is what could make the biggest impact long-term.
Many companies lack a clear and defined way to report their cybersecurity posture and subsequent cyber risk to their own boards. And many boards don’t see cyber risk as a part of the business strategy. Under the SEC’s new annual reporting rules, cybersecurity is now mission-critical for senior executives and boards of directors. The opacity of cyber risk will no longer be acceptable.
Here are three actions companies need to take if they haven’t already to prepare for the upcoming changes that the SEC plans to enforce.
Update your cybersecurity incident response plan and review it regularly.
According to the “2021 Cyber Resilient Organization Study” by the Ponemon Institute and IBM Security, only 26% of organizations have cybersecurity incident response plans that are applied consistently across the entire enterprise. The cyber breach notification mandate gives companies just four business days to disclose a material event. That’s not a lot of time, especially considering resources are likely focused on containing and remediating the breach.
It’s crucial that SEC reporting is worked into an incident response plan in advance so that there are clear lines of roles and responsibilities between cybersecurity teams, disclosure committees and legal teams to ensure that SEC requirements are met without derailing remediation efforts. Tabletop exercises run at the board level are an effective way to pressure test a response plan and should be run at least once annually.
Develop a cybersecurity “lingua franca” that lets stakeholders speak a common language of risk.
For many years, it was the sole responsibility of the chief information security officer (CISO) to translate technology risk to business risk for the board—that’s if they were lucky enough to get a seat at the table. Now that management and the board of directors are required to report on their roles in assessing and managing cyber risks, they are going to be hungry for the data, metrics and visibility they need to align cybersecurity to business priorities.
We have to close the communications gap between business unit leaders, CISOs and boards of directors. A cybersecurity “lingua franca,” or shared language, is made through defining and agreeing on the reporting and measurement criteria that reflect and align with your business objectives, internal policies and standards and external regulatory requirements. Aligning on these metrics will let everyone from the technical security practitioners to the board of directors discuss cyber risk in the same context of the overall business objectives.
Make sure the security tools and controls you have are working as intended.
On average, organizations manage 76 different cybersecurity tools, up 19% over the past two years as companies shifted to cloud and remote work according to the Panaseer 2022 Security Leaders Peer Report. But more tools don’t guarantee better security coverage. In fact, they often give a false sense of confidence. The report states that 82% of respondents were surprised by a security event that evaded a control that they thought was in place. Only 36% are very confident they could prove that their controls were working as intended.
One of the world’s most strategic CISOs, Phil Venables (formerly the CISO of Goldman Sachs and now the CISO of Google Cloud), pointed out in 2019 on Twitter that many security incidents happened in environments where security controls were thought to be in place and operational but for whatever reason, they stopped functioning.
On his blog earlier this year in a post, “Controls – Updated,” he notes, “Oddly, it also still seems surprising to people that security breaches are often the result of unintended control lapses rather than innovative attacks or risk blind spots.” He also makes the case for the need to conduct continuous controls monitoring (CCM)—an emerging area of security automation that focuses on making sure that security tools are present and actually working as intended.
Public (and private) companies should view this moment as an opportunity to evaluate the effectiveness of their current cyber reporting practices and procedures and determine where they excel, and where they fall short. It’s about time that we get serious about addressing cyber risk.
Forbes Finance Council is an invitation-only organization for executives in successful accounting, financial planning and wealth management firms. Do I qualify?
