SEC’s New Guidelines Prompt Proactive Cyber Risk Management
By Meghan Maneval, Director of Technical Product Management at RiskOptics
Recently, the Securities and Exchange Commission (SEC) adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents experienced in a timely manner and any information regarding their cybersecurity risk management, strategy and governance annually. These new rules will bring both consistency and timeliness to reporting with the goal of more accurate reports.
While the SEC previously announced guidelines in 2011 and 2018 regarding the reporting of cyber incidents, they left room for frequent delays and a need for more sufficient details. Since then, the SEC has spent over a year deliberating the nuances of the proposed rules and collecting feedback from cybersecurity professionals and companies to refine the content. With these new guidelines, companies now must report “material” cyber incidents within four days, provide information and updates on previously disclosed incidents each quarter, annually report on cybersecurity risk management strategy and adopt controls to mitigate cyber risk.
Although these new rules and guidelines may seem excessive to some, they’re an essential step towards a stronger and more proactive approach to cyber risk management. Let’s look at a few key takeaways from this ruling and what they might mean to your organization.
1) Organizations should always be audit ready and then some.
The primary concern many organizations may have with these new rules is the requirement to report a material incident within four days. This can be difficult if you don’t have integrated systems that share and aggregate data. This can lead to delays in investigations and potentially missing the required disclosure date. To accomplish the new rule’s requirements, organizations need to be proactive in collecting data and continuously monitoring their controls. The bottom line is that auditors and hackers are looking for the same thing – control failures. If organizations are continuously monitoring and testing for them, it’s less likely hackers will find an opening, meaning that audit-ready organizations that are also incident-ready!
Being audit-ready means having a holistic approach to security and compliance that includes risk assessment, real-time continuous compliance monitoring, training for employees and effective communication. Having these critical pieces in place and automating the right processes is extremely important for organizations in the wake of this rule because it enables them to meet the reporting requirements faster, with less effort, and with less disruption to ongoing activity.
To have the best understanding of where risk lies in the business, organizations should leverage a risk management and compliance tool. By auditing against compliance standards, organizations are able to see where their inherent business risk lies, and in turn, make decisions to remediate that risk and reduce exposure. Additionally, a robust risk management tool will allow security leaders to quickly understand, evaluate and convey the impact of risk on the business aspects they care about the most.
2) Boards need to have a deeper understanding of cyber risk and security than ever before.
Part of the rule requires companies to disclose how much the board knows about cybersecurity and how their organization is implementing cybersecurity tactics and best practices. This begins with general education on cybersecurity and the current threat landscape. Organizations can accomplish this with trainings, providing educational materials or appointing an expert in cybersecurity to the board to help guide conversations. This foundational step is critical to acting with purpose.
It’s also essential to consider the board members’ awareness of what’s going on within the organization, what initiatives are currently in place and what risks impact success. To do this effectively, security leaders must translate cyber risk and its impact into a language that board members will understand – dollars and cents.
For example, if a security leader notes a non-conformity with the California Consumer Privacy Act, the board may not know why it is a concern. Instead, communicating that the organization has an increased risk of reputational damage or fines for noncompliance ensures the impact is conveyed and they can invest in the right areas to reduce those risks. Security leaders should re-visit their current cybersecurity plan, showing the board where investments are needed to close the cyber risk gap.
3) The new rules will significantly benefit companies that talk more about their risk.
Most importantly, this ruling emphasizes the need to take a proactive approach to risk management. Organizations must understand their cyber risk posture, and the context of their risks, so they are prepared to act if a risk is realized.
As the SEC sets this precedent, it benefits companies to make risk a part of every conversation. By doing so, key stakeholders can understand the full impact of said initiatives on the business and propel forward based on those risk-informed decisions. This requires having a 360-degree view of cyber risk and its constituent parts (such as vulnerabilities, threats and third parties) to enable action within the required timeframe.
Although these new rules seem scary and intimidating, they are not going to upend enterprises. Ultimately, if companies have been doing what they were supposed to be doing all along, this new timeframe will only further encourage transparency and accountability. With a proactive approach to cybersecurity and risk management, companies will be further prepared to monitor for threats and vulnerabilities, reporting them quickly as they arise.
About the Author
Meghan Maneval is the Director of Technical Product Management at RiskOptics. She leads RiskOptics’ Technical Product Management team- tasked with developing and evangelizing innovative ways to solve industry problems.
Fun fact about Meghan- she was a RiskOptics customer before joining the team! After more than 15 years managing security, compliance, audit, governance, and risk management programs in highly-regulated industries, Meghan joined RiskOptics in 2022 to help drive product innovation and empower our customers to achieve their objectives.
Meghan is a passionate security and risk evangelist, DIBs champion, and home-renovation enthusiast specializing in process improvement and program iteration. Meghan enjoys giving back to the security and risk community through blogs, whitepapers, webinars, conference presentations, and podcasts. Meghan can be reached online on LinkedIn and at our company website https://riskoptics.com/.