The onslaught of cyber attacks in the past years has prompted government agencies to take the lead in improving cybersecurity defenses. For one, the U.S. Securities and Exchange Commission (SEC) finalized new rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies.
The rules demand prompt and transparent cyber incident disclosure to give investors a clearer picture of a company’s cybersecurity posture and the potential risks involved in their investments. While the amendments took effect on 5 September 2023, companies are seemingly struggling to comply. This post aims to shed light on the new SEC rules and how CISOs can respond.
What Are the New SEC Rules?
The new SEC rules focus on two key areas—material cybersecurity incident disclosure and risk management, strategy, and governance disclosure. Cyber incidents are considered material if they affect a company’s operations and financial condition.
The disclosure must be presented in Inline eXtensible Business Reporting Language (Inline XBRL) format, which enables automated extraction and analysis of the disclosed information. This standardization helps make it easier for investors, analysts, and regulators to analyze a company’s cybersecurity risks.
Material Cybersecurity Incident Disclosure
Public companies must now report material cybersecurity incidents using Form 8-K within four business days after determining an incident’s materiality. It is important to note that the deadline is not four business days from incident detection but four business days after the company determines the incident’s materiality.
“This timing recognizes that, in many cases, a company will be unable to determine materiality the same day the incident is discovered,” says Erik Gerding, Director of the SEC Division of Corporation Finance, in a statement.
However, there is an exception to the four-day rule. If the U.S. Department of Justice (DoJ) determines the incident to be a national security or public safety issue, then filing of incident disclosure can be delayed.
The SEC initially proposed including technical information about an organization’s planned responses in the disclosure. However, this stipulation wasn’t included in the final rule after experts commented that these details can hamper an organization’s response and provide threat actors with potential exploits.
While the details of an incident are not required in the disclosure, it should contain the nature, scope, timing, and impact of an incident. Therefore, companies must consider and analyze a material incident’s quantitative (i.e., operational and financial damages) and qualitative (i.e., effects on reputation and customer and vendor relationships) impact.
Risk Management, Strategy, and Governance Disclosure
Under the new SEC rules, companies must include information regarding their overall cybersecurity risk management practices, strategies, and governance structures in their annual reports (Form 10-K).
While the proposed rules initially required public companies to disclose specific details about their cybersecurity policies and procedures, the SEC decided to streamline them. The agency struck a balance between transparency and security in the final ruling, saying, “We agree that extensive public disclosure on how a company plans for, defends against, and responds to cyber attacks has the potential to advantage threat actors.”
For instance, knowing specific incident response processes and techniques and third-party service providers may empower attackers and give them a road map to launch attacks. So, what should companies disclose instead? We’ll tackle these in the following subsections.
Risk Management and Strategy
When determining what a disclosure should contain, we must go back to the goal of the new SEC rules—to provide investors with a clear understanding of their investment risks.
Therefore, risk management and strategy disclosures must have sufficient information to allow investors to assess a company’s cybersecurity risk profile. That involves showing the company has sound cybersecurity practices and a risk assessment program. Specifically, companies must describe:
- Their process in assessing, identifying, and managing material risks
- Any cyber risk that can materially affect their business strategy, operations, and financial condition
- How cybersecurity processes are integrated into the company’s overall risk management system or processes
- If the company deals with third parties in implementing cybersecurity processes (e.g., assessors, consultants, auditors)
- If the organization has processes to oversee and identify material third-party risks
Governance
The SEC aims to give investors an idea on how a company’s leaders oversee and implement cybersecurity processes. The final rule lists these disclosure requirements, directing public companies to describe the following:
- The committees responsible for assessing and managing risks
- The expertise of the persons involved
- How the responsible persons are informed about cybersecurity incidents
- If the persons report risks to the board of directors or a board committee or subcommittee
Therefore, the management’s role in assessing and addressing material risks from cyber threats should be described in the disclosure. This process involves disclosing which management positions and departments are accountable for threats and their relevant expertise.
The final rule’s disclosure requirements for the board are more high-level. They describe the board’s involvement in cybersecurity and identify if a dedicated board committee or subcommittee exists to oversee it. The disclosures should also detail how the board (or designated committee) is kept informed about cyber threats.
What CISOs Can Do
A CISO’s job is not getting any easier. In fact, 66% of global CISOs worry about the personal, legal, and financial liabilities their roles entail. The new SEC rules may increase the pressure CISOs face in ensuring that effective cybersecurity measures are in place to prevent and respond to cybersecurity incidents. Below are some strategies that can help CISOs work toward complying with the new SEC disclosure requirements.
Dig Deeper into Attack Surfaces
The SEC’s requirement to include the quantitative and qualitative impact of a material incident means CISOs must obtain a more comprehensive understanding of their organization’s attack surface, examining all asset dependencies to uncover all possible entry and impact points.
The process entails thoroughly analyzing a discovered asset and understanding how its vulnerabilities can impact the rest of the IT infrastructure, and how other assets affect it. Many organizations have complex IT infrastructures with interconnected assets and systems. A seemingly minor vulnerability in one asset can be exploited to gain access to more critical systems.
If and when a cyber incident involving a discovered and mapped asset occurs, there won’t be hidden surprises. CISOs can immediately analyze an incident’s potential impact based on asset dependencies.
Gain a Strategic Focus
The final SEC rules place a strong emphasis on CISOs demonstrating a strategic approach to cybersecurity. That is not new to modern CISOs, as a study revealed that 86% of CISOs say they are becoming strategists and leaders and their role has significantly changed since they started.
This shift in role enables CISOs to proactively create and implement effective cyber attack prevention strategies and incident response plans.
For one, CISOs notably use artificial intelligence (AI) for technical tasks such as data enrichment, malware analysis, risk scoring, and workflow automation, leveraging AI’s ability to analyze huge volumes of data. The same AI capability can enable extensive asset discovery, mapping, and vulnerability scanning, highlighting the need for AI-powered external attack surface management (EASM) platforms with advanced asset discovery and vulnerability detection capabilities.
Improve Communication and Reporting
The disclosure requirements call for clear communication between CISOs and other executives regarding cybersecurity risks and incidents. Even before the new SEC rules were implemented, CISOs always needed to effectively communicate cybersecurity risks and strategies to senior management and the board of directors. That ensures buy-in for security initiatives and facilitates resource allocation.
To effectively communicate a company’s cybersecurity posture with the board and other stakeholders, CISOs need to present a comprehensive view of their attack surface. EASM platforms with interactive and detailed dashboards can play a crucial role in this, given that 75% of CISOs struggle to find security tools that can generate insights the C-suites and the board can understand.
Conclusion
The SEC’s new rules elevate cybersecurity to a boardroom-level concern and hold CISOs more accountable for their cybersecurity strategies and incident response. Undoubtedly, CISOs need all the help they can get to continuously and strategically manage their organization’s attack surface.
Experience how Attaxion can help CISOs expand attack surface visibility to manage compliance with the new SEC rules. Kick off your 30-day free trial today.