Why public companies should prepare now to safeguard their operations, reputation, and financial success.
By Paul Truitt, Principal and National Cybersecurity Practice Leader, Mazars
In a world where technology drives innovation, the security of enterprises and their assets has become of paramount concern. According to the latest IBM Data Breach Report, 83% of organizations experienced more than one data breach during 2022. With every company in the crosshairs, federal regulators have taken a key step that will require publicly traded businesses to rethink their approach to cybersecurity and avoid severe financial, operational and reputational damage.
In late July, the U.S. Securities and Exchange Commission (SEC) published its final rule on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure. Set to take effect in December, this new mandate requires publicly traded companies to disclose “material” cyber events on a Form 8-K within four business days of the organization determining materiality (materiality should be established per current federal securities law).
The final rule also requires companies to describe their cybersecurity risk management, strategy and governance and how they are maintaining and assessing their security program in their annual Form 10-K filings. The implications of this new obligation are widespread and will stimulate a new era of cyber transparency for investors, the media and other key stakeholders. It ratchets up an already intense level of scrutiny on executives, particularly CTOs, CIOs and CISOs, who must now develop and execute yet another strategic program to strengthen and report on their cybersecurity posture.
Building stakeholder confidence through clarity
The new regulations will give investors and other stakeholders a new level of visibility into the cybersecurity approach of the organizations they invest in and follow. By mandating that companies disclose cyber incidents, the SEC is giving stakeholders a window into the threats facing enterprises and how well and how often they thwart these threats…or otherwise.
Similar to how external stakeholders now evaluate publicly available financial information to judge how well a company executes on its business model, they soon will be able to evaluate how successfully an enterprise is implementing its cyber strategy. Historically, cybersecurity has been a relatively obscure domain when assessing a business, with information usually coming to light through voluntary reporting from affected companies – sometimes well after the event. For example, a large service provider to managed-healthcare organizations reported in March 2023 that a data breach had impacted 4.2 million individuals. The incident occurred nearly one year prior to the public disclosure.
After the new SEC reporting rules take effect, however, the potential repercussions are almost limitless to consider. Will securities analysts grill executives during earnings calls about reported data breaches or gaps in their security program? Will we see journalists publishing league tables of companies that file the most cyber-attack disclosures or grading them on their security control frameworks?
Strengthening cybersecurity through accountability
Apart from being required to report material cyber events almost immediately, public companies will also need to provide annual disclosures about their cyber risk management strategies and the cyber expertise of the company’s executives. This not only adds an additional layer of accountability for companies, but also presents an opportunity to strengthen current risk management strategies.
As organizations think about developing more comprehensive risk management strategies in response to the SEC’s admonition, they may want to consider investing in performing an annual security assessment by a trusted third party. By making certain their organization complies with industry standards such as ISO 27001/27002, NIST 800-53 or NIST Cybersecurity Frameworks, business leaders can better position themselves and their teams to identify risks, implement controls and reduce the chance for trouble in areas of potential exposures.
Partnering with trusted third parties that track the latest threats — and cutting-edge mitigation strategies and tools — can benefit almost any organization. But this tactic can be particularly important for smaller public companies that may lack a robust cybersecurity and reporting plan, as outside experts can act as a team extension of an organization’s existing talent when it comes to evaluating vulnerabilities, rethinking investments, implementing controls and determining when and how to report the information the SEC will soon demand.
The roles of executives and directors
One of the most important aspects of this new rule is the involvement of executives and members of a company’s board of directors, as their engagement in and understanding of the organization’s cybersecurity posture become essential. Not only will this require a level of understanding of the new SEC rule, but it also necessitates adding a layer of governance to ensure the company follows it. Impacted companies should immediately begin hosting internal conversations between executives, directors and the organization’s cybersecurity experts to provide a close look into current controls in place to assess their efficacy. This may include reviewing assessments from outside experts and penetration-testing reports. Additionally, executives and directors should ask questions about how security controls are being implemented and how processes are being assessed to gain further insight into the current controls in place — and areas for improvement.
The SEC’s new rule marks a crucial step in bridging the cybersecurity information gap between organizations and external stakeholders, while simultaneously encouraging public companies to reassess and strengthen their overall cyber strategies. For many enterprises, this will require a significant amount of work to be accomplished before the rule takes effect in December. At this stage, working with third-party advisors to leverage their expertise should be a key consideration. When the reporting and disclosure requirements become mandatory, companies will have to expect that news of their cyber incidents will be broadcast far and wide. But the enterprises that begin preparing now for this eventuality will be better positioned to safeguard their operations, reputation and financial success when the time comes.
About the Author
Paul Truitt is Principal and Cybersecurity Practice Leader at Mazars. He has over 20 years of experience providing business and technology solutions, with a deep background in identifying and mitigating security risks and performing cyber assessments for clients in the retail, healthcare, manufacturing and banking industries.
Prior to joining Mazars, Paul was a Managing Director in a mid-sized national accounting firm where he led the US Cyber Practice. He focused on managed detection and response (MDR), vulnerability management, penetration testing, security assessments and cloud security services. He also worked at a national managed services organization where he was the head of cyber services and Chief Security Officer.
Paul received his Bachelor of Science in Marketing and Management Information Systems from Salisbury University. He also holds a Master of Business Administration from Widener University.
Paul was awarded a bug bounty for submitting a remote exploit of an automotive remote access system that allowed remote starting and unlocking of the doors to any vehicle with the system deployed.