In a landmark development that will reshape how public companies navigate cybersecurity risk, the US Securities and Exchange Commission (SEC) has given the green light to a set of rules that demand greater diligence in cybersecurity risk management, strategy, governance, and incident disclosure.
As of December this year, public companies will be required to promptly reveal ‘material cybersecurity incidents’ within a tight four-day window. On top of that, registrants will now face the annual responsibility of reporting their methodologies for assessing, identifying, and managing substantial risks posed by cybersecurity threats.
Undoubtedly, these new rules will put pressure on public companies to reimagine how they approach incident mitigation, identification and response—and it’s up to CISOs to lead the revolution.
What are the SEC’s new rules?
The SEC’s new rules aim to enhance transparency and accountability for investors, by mandating that companies provide them with “consistent, comparable, and decision-useful” insights into their cybersecurity risk management practices.
To comply with these regulations, companies are now required to submit a Form 8-K, which must include:
- The date when the incident was detected and whether it is ongoing.
- A comprehensive description of the incident, outlining its nature and scope.
- Details about any compromised data, including stolen, altered, accessed, or unauthorized usage.
- Insights into how the incident has impacted the company’s operations.
- Information about any ongoing or completed containment efforts implemented by the company.
Furthermore, companies must include specific cybersecurity-related information in their annual report on Form 10-K, such as:
- The processes in place for identifying and managing material risks stemming from cybersecurity threats.
- A comprehensive assessment of the material effects or reasonably likely material effects of previous cybersecurity incidents.
How CISOs can prepare
As the implementation draws closer, here are five proactive steps that CISOs and security leaders can take to get ready for SEC cybersecurity compliance and to proactively manage and mitigate cyber risk:
Innovate your approach to incident response
CISOs will need to revisit and update their organization’s incident response plans, collaborating closely with both internal and external legal teams to establish clear escalation paths and collaborative procedures for determining when cyber incidents cross the threshold into materiality. Navigating the intricacies of the SEC’s latest guidance will undoubtedly be a collective effort, involving cross-functional teams spanning cybersecurity, legal, investor relations, and business leadership, among others.
However, merely having a well-structured playbook in place won’t suffice. It’s essential to build the muscle memory needed to respond swiftly and effectively when facing a cyber threat. Regular readiness exercises are invaluable for identifying technical gaps and pinpointing any process or communication breakdowns that could impede a timely response and disclosure.
Furthermore, it’s important to emphasize that incident response isn’t the sole responsibility of the cybersecurity team. Fostering a company-wide culture that places the focus on cybersecurity awareness and incident reporting is crucial. With that in mind, put in place processes that support employees to promptly report any potential threats they come across, empowering your entire team to act swiftly in mitigating risks effectively.
Review your existing controls
In accordance with the SEC’s latest regulatory changes, companies are now required to incorporate explicit information regarding their cybersecurity programs in their annual 10-K filings. This presents an opportune moment to conduct a thorough assessment of your current security controls and policies in light of established standards like the NIST Cybersecurity Framework or ISO/IEC 27002. The objective is to pinpoint any areas where your existing controls may fall short in adequately mitigating your cybersecurity risks.
Most organizations will likely find that the most potent risk comes in the form of data leakage or exfiltration from cloud apps like Slack, Google Workspace and generative AI, where employees now spend most of their working hours.
Because these apps rely on unstructured data, it is inherently harder to discover, classify and secure sensitive data within them. Therefore, focusing on investing in cloud-based data loss prevention (DLP) must be imperative, empowering organizations to bring much needed visibility and control to these applications and reduce the risk of material incidents.
Cement your definition of materiality
The recent SEC rule introduces certain ambiguities, particularly surrounding the interpretation of the term “material incident.” Notably, the SEC has refrained from providing a specific definition for materiality, explaining that creating a cybersecurity-specific materiality definition would deviate significantly from established practices and would not align with the overarching intent of the final rules.
This leaves organizations in a position where they must grapple with the concept of materiality, extending beyond the familiar realm of financial statements. It will be essential to consider qualitative factors, such as the potential impact on reputation, customer and vendor relationships, and compliance with regulatory requirements. Furthermore, a broader perspective is required when assessing breaches and breach attempts, taking into account the aggregate effects of related incidents over time.
Brush up on boardroom syntax
CISOs often encounter challenges when attempting to convey the value of their cybersecurity investments in a language that resonates with the board. To meet SEC compliance, they will need to learn to frame discussions in terms that the board understands, which typically steer away from technical jargon or discussions about the intricacies of technology.
Instead, dialogue should revolve around the concept of risk and the pragmatic measures they plan to implement to either reduce or mitigate that risk in the present and future. This includes outlining plans to optimize their investment pool across talent, technology, processes, and their partner ecosystem to achieve the most effective security outcomes.
Board members generally grasp topics such as safeguarding the company’s brand and corporate reputation, minimizing business disruptions, and assessing the costs associated with downtime. To enhance communication, consider integrating cost-benefit analysis into your organization’s existing cybersecurity framework. This approach can help quantify risk and determine the return on investment (ROI) for key control areas.
Stay on the pulse
To fulfill their vital role as trusted advisors to the board, CISOs must have access to dependable information concerning the risks and controls operating within their organization.
This encompasses a wide spectrum, ranging from maintaining an accurate roster of third-party entities with access to confidential data to staying up-to-date on any lingering weak controls that demand remediation for regulatory compliance. It also extends to grasping the full scope of any cybersecurity crises that might demand immediate attention.
To achieve this level of insight, CISOs will need access to advanced technology and tools designed to provide a comprehensive view of the organization’s current cybersecurity posture.
How Polymer can help with SEC compliance
The best way to prepare for SEC compliance is to reduce the likelihood of an incident – and thus the need for disclosure – in the first instance. And that’s where we can help.
Polymer data loss prevention (DLP) is a next-generation cloud DLP tool that harnesses the power of AI to autonomously discover, protect and classify sensitive information in applications like Slack, Teams, Chat GPT and more.