Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

How to Prepare for New SEC Cybersecurity Disclosure Requirements

Many organizations used to hit the mute button whenever discussions about cybersecurity came up, but this silence has been breaking more frequently as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators.

Many organizations used to hit the mute button whenever discussions about cybersecurity came up, but this silence has been breaking more frequently as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators. But changes are coming to the rules of the Securities and Exchange Commission that will bring new standards for how to communicate the security position at most businesses. 

In early 2022, the SEC issued a proposal to amend its cybersecurity rules that set out new ways to report and disclose security incidents. The SEC claims it wants to better inform investors about organizations’ risk management strategy and cyber governance, but to some organizations, the proposal can feel like yet another regulatory workload.

To understand the 129-page proposal, it helps to break it down into the three main aspects it covers: 

● Governance: The rules require transparency in how organizations invest and prioritize cybersecurity among its business functions. It requires disclosure of the cybersecurity expertise within the board of directors, so investors can draw their own conclusions about the priority level cybersecurity has in that organization and the board’s ability to provide guidance to the CIO, CISO and other security stakeholders. 

● Risk Management: Investors today have no point of reference to establish cyber risk as a data point when  evaluating companies to invest in, so the requirement to report cybersecurity risk strategy and governance can add value to those companies that have strong policy and procedures for cyber risk management.  The companies that lag would do well to invest in improving their cyber risk management program.   

● Cybersecurity Incidents: Under the new rules organizations would have to report to the SEC cybersecurity incidents that are material to their operating results, and offer updates on previous incidents. Reporting a hack can be a risk to a company’s reputation, stock price and more, but the way it’s handled can also help those factors. Currently, many incidents are reported even if the organization wants to keep them quiet, so this requirement is not too onerous, but it becomes a proactive task that companies should invest in to make sure their disclosure strategy is ready just in case. 

A few simple steps can make sure your organization is prepared for the new requirements, or can be ready before the next quarterly report: 

● Assess cybersecurity’s priority: The new requirements are meant to give investors an idea of where cybersecurity lands in the to-do list of an organization. Looking at the makeup of the board to see where cybersecurity experience sits or if there is a need to get ready for the new requirements. Additionally, investing in that expertise adds value by improving the organization’s resiliency.  

Advertisement. Scroll to continue reading.

● Assess your risk management approach: Find out what cybersecurity policies and procedures guide workflows, because it’s not only good for reducing risk, but showing continuous improvement will become a metric investors will want to see. Knowing the cybersecurity policies and procedures in place and showing that investments are being made to minimize risk signals the priority of cybersecurity in an organization.

● Assess your incident response program: As the trope goes: there are two types of organizations—those that have been hacked and those that don’t know it yet. With this in mind, organizations can invest in building a proactive incident response program. Having a plan with playbooks for different instances, as well as disclosure statements drafted can relieve the crunch of crisis management, and doing this ahead of the SEC requirement will help the organization respond better when an incident does occur. 

● Establish a level of confidence: One of the keys to the SEC proposed rules is the ability to quantify the success of an organization’s cybersecurity strategy–its risk management, incident response, and overall governance.  Investments in tools and solutions that can give some reassurance of a level of risk management execution are a better proof point for investors than written policies or incident workbooks.   

Security incidents are a fact of business life today, but an organization’s incident response and its handling of disclosures can make a big difference. The new SEC requirements are putting on paper what many companies—public and private—should have been investing in already.

RelatedPrepare for What You Wish For: More CISOs on Boards

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.