The U.S. Securities and Exchange Commission (SEC) has recently adopted new regulations concerning how companies disclose cybersecurity issues to investors. The decision is a culmination of years of escalating guidance and scrutiny on how businesses manage cybersecurity incidents. The new rules, which will be implemented later this year, demand that publicly listed companies disclose significant cybersecurity incidents within four business days of identifying such an event. This includes both isolated incidents and the collective impact of a series of related incidents.
Furthermore, these companies are required to regularly disclose their cybersecurity risk management strategies, the individuals responsible, and how these risks are reported to the board of directors. The SEC’s objective with these rules is to safeguard investors by demanding more transparency, consistency, and timeliness in how companies handle cybersecurity-related disclosures. A secondary effect is that companies may improve their overall cybersecurity hygiene and risk management processes, making them more resilient to cyber incidents. However, the new disclosure rules have sparked a debate on whether they will compel organizations to prematurely disclose details of an ongoing incident. Public companies, or any organization aiming to implement more mature security controls, can use this as an opportunity to bolster proactive defenses that can preempt a potential incident. The most effective strategy for complying with the SEC’s disclosure rules is to prevent significant incidents from happening in the first place. Proactive prevention is the best chance to completely stop an incident or minimize the damage during a critical period.
According to the CrowdStrike 2023 Global Threat Report, it takes an adversary an average of just 84 minutes to compromise a system and infiltrate the rest of the network. Therefore, companies need to ensure they have the necessary tools and teams to respond to and remediate an incident with the same speed. Even with proactive prevention in place, companies will still need a strategy for complying with the new disclosure rules should an incident occur. This requires defining how they will assess the significance of an incident and who will ultimately decide what constitutes a significant incident.
From a technical perspective, companies will need to ensure they have a system of record that tracks the impact of incidents so they can consider the cumulative impact of smaller related incidents when making their assessments. In the face of these new requirements, the best thing public companies can do is focus on the fundamentals of good security practices. These both reduce the likelihood that a cyber incident will be significant and provide a foundation for an organization’s required annual disclosure on cyber risk management. Many cybersecurity consultancies offer a range of services and tools that can help organizations prepare for the new disclosure rules by embracing proactive prevention and response techniques.
In addition to pushing public companies to implement better cybersecurity hygiene, the SEC is also pushing to strengthen risk management processes. This will put more of an onus on executive leaders and the boards that advise them. By requiring organizations to identify which business leaders are responsible for cyber risk, as well as their level of expertise, the SEC is underscoring that security oversight cannot be a rubber stamp. As new rules are put forth, it will be important to ensure alignment with existing regulations so that victim organizations can comply in a timely and transparent manner while continuing to focus on the fundamentals that keep their networks secure.