Many organizations used to hit the mute button whenever discussions about cybersecurity came up, but this silence has been breaking more frequently as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators. But changes are coming to the rules of the Securities and Exchange Commission that will bring new standards for how to communicate the security position at most businesses.
In early 2022, the SEC issued a proposal to amend its cybersecurity rules that set out new ways to report and disclose security incidents. The SEC claims it wants to better inform investors about organizations’ risk management strategy and cyber governance, but to some organizations, the proposal can feel like yet another regulatory workload.
To understand the 129-page proposal, it helps to break it down into the three main aspects it covers:
● Governance: The rules require transparency in how organizations invest and prioritize cybersecurity among its business functions. It requires disclosure of the cybersecurity expertise within the board of directors, so investors can draw their own conclusions about the priority level cybersecurity has in that organization and the board’s ability to provide guidance to the CIO, CISO and other security stakeholders.
● Risk Management: Investors today have no point of reference to establish cyber risk as a data point when evaluating companies to invest in, so the requirement to report cybersecurity risk strategy and governance can add value to those companies that have strong policy and procedures for cyber risk management. The companies that lag would do well to invest in improving their cyber risk management program.
● Cybersecurity Incidents: Under the new rules organizations would have to report to the SEC cybersecurity incidents that are material to their operating results, and offer updates on previous incidents. Reporting a hack can be a risk to a company’s reputation, stock price and more, but the way it’s handled can also help those factors. Currently, many incidents are reported even if the organization wants to keep them quiet, so this requirement is not too onerous, but it becomes a proactive task that companies should invest in to make sure their disclosure strategy is ready just in case.
A few simple steps can make sure your organization is prepared for the new requirements, or can be ready before the next quarterly report:
● Assess cybersecurity’s priority: The new requirements are meant to give investors an idea of where cybersecurity lands in the to-do list of an organization. Looking at the makeup of the board to see where cybersecurity experience sits or if there is a need to get ready for the new requirements. Additionally, investing in that expertise adds value by improving the organization’s resiliency.
● Assess your risk management approach: Find out what cybersecurity policies and procedures guide workflows, because it’s not only good for reducing risk, but showing continuous improvement will become a metric investors will want to see. Knowing the cybersecurity policies and procedures in place and showing that investments are being made to minimize risk signals the priority of cybersecurity in an organization.
● Assess your incident response program: As the trope goes: there are two types of organizations—those that have been hacked and those that don’t know it yet. With this in mind, organizations can invest in building a proactive incident response program. Having a plan with playbooks for different instances, as well as disclosure statements drafted can relieve the crunch of crisis management, and doing this ahead of the SEC requirement will help the organization respond better when an incident does occur.
● Establish a level of confidence: One of the keys to the SEC proposed rules is the ability to quantify the success of an organization’s cybersecurity strategy–its risk management, incident response, and overall governance. Investments in tools and solutions that can give some reassurance of a level of risk management execution are a better proof point for investors than written policies or incident workbooks.
Security incidents are a fact of business life today, but an organization’s incident response and its handling of disclosures can make a big difference. The new SEC requirements are putting on paper what many companies—public and private—should have been investing in already.