Cybersecurity compliance recently got quite a bit more complicated.
As of December 2023, the Securities and Exchange Commission (SEC) requires all public companies to meet significantly higher standards for cybersecurity transparency. Meeting those requirements will take time, staff, and probably investment from most public companies. Furthermore, non-compliance penalties raise the risk and costs of cybersecurity.
Even though most in the public sector understand the purpose of these changes and believe in stronger cybersecurity standards, the rules are undeniably a burden to bear. But the situation isn’t entirely negative. The new SEC rules can be very beneficial for companies that know how to use them to their advantage.
A Deeper Dive into the SEC Rules
As cyber incidents become more common and any attack may cause deep, lasting, and unpredictable economic damage to the target company and many others, regulators are starting to take cybersecurity very seriously. The new SEC rules force companies to take it seriously, too, by requiring them to reveal how they manage cyber risk.
Public companies must now disclose any cyber incident that has “material” impacts (a definition being hotly debated) within four days of the attack. They must also file annual reports disclosing their cyber risk:
“New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
These disclosures will fundamentally alter the cybersecurity landscape as we know it, bringing more exposure, and with it more pressure, to cybersecurity. But for savvy companies that know how to use cybersecurity disclosures to their advantage, these changes are an exciting development.
Spotlighting Proactive Cybersecurity
Being required to disclose attacks is only a problem if they occur. Likewise, cyber risk reports only look bad if the risk is high. In short, transparency around cybersecurity will only be an obstacle for companies that would prefer to keep this issue in the shadows.
For everyone else, disclosures are an asset that allows a company to highlight the depth and breadth of its cyber risk reduction efforts. As these efforts become increasingly relevant to business relationships, companies that can highlight their strong, consistent, and proactive efforts to reduce risk will enjoy many advantages, all related to investors, regulators, customers, and partners having more confidence in a company.
Cybersecurity disclosure requirements will be mandatory for some and voluntary for others, but they will be strategically valuable for ALL, and especially for those companies that know how to cultivate the kind of security posture that interested parties and investors want to see in these disclosures.
To proactively prepare your company to demonstrate strong risk-reduction efforts, we suggest starting here:
Systematic Penetration Testing
Conducting penetration tests on a regular basis—at least annually for networks and applications, and before releasing any new application—signals that companies are going on the offensive to reduce their attack surface and with it, their cyber risk. Penetration testing matters even more now that the IT infrastructure is growing so rapidly in the wake of COVID and at the dawn of the AI revolution. Being systematic about finding and fixing exposures through pen testing shows a serious commitment to managing risk, while also lowering the likelihood of successful attacks causing material damage that would have to be disclosed.
Robust InfoSec Program
Sustainable and scalable cybersecurity requires a comprehensive program that extends not just across the IT ecosystem but to the entire organization, and aligns with today’s (and tomorrow’s) business strategy. Anything less allows risk to become entrenched, so it’s important to demonstrate that a robust Infosec program is in place. Just as importantly, companies need to be able to demonstrate that they’re evaluating, evolving, and improving that program continuously.
Social Engineering Resilience
Recent major attacks on Uber, MGM Entertainment, and many others leveraged social engineering tactics to easily bypass multiple layers of cybersecurity. Already one of the most dangerous attack vectors, social engineering will only get worse with the aid of Generative AI and Deepfake technology, so companies need to stay ahead of the issue. Reducing the impact of social engineering attacks can be accomplished by using preventative services like open-source intelligence gathering, spear phishing simulations, and on-site engagements. These techniques help prevent attacks and prepare employees to respond to malicious communications.
Frequent Training, Audits, and Assessments
Cybersecurity involves everyone from individual contributors to managers to senior executives, and frequent training is essential for keeping them all educated and prepared in the face of today’s dangerous attacks. Audits and third-party assessments are also critical for validating the security measures in place. All these measures are proof that companies are not just checking boxes on cybersecurity, but are instead thinking seriously about results and outcomes.
Security Partner Relationships
As we wrote about in a recent eBook, even the largest enterprises need assistance from outside security partners to get the speed, scale, and specialized skills they require. Security partners help teams fill whatever gaps they have in their security operations while helping them stay aligned with best practices so that security never wavers — even as the security team, IT infrastructure, or attack landscape evolve.
Takeaways and Next Steps
No matter what form compliance takes, companies across the spectrum need to be thinking about when, why, and how to make cybersecurity disclosures — and thinking about what those disclosures will reveal to the benefit or detriment of the organization.
With over a decade of experience helping enterprises achieve cybersecurity maturity, the team at Summit Security Group can help you comply with the SEC rules — and turn compliance into one of your strengths.