The recent adoption of new rules and guidelines by the Securities and Exchange Commission (SEC) regarding cybersecurity incidents and risk management has prompted a proactive approach among public companies and organizations. These new guidelines require companies to disclose cybersecurity incidents in a timely manner, as well as to provide information on their cybersecurity risk management, strategy, and governance annually. The goal of these regulations is to bring consistency and timeliness to reporting, ultimately leading to more accurate reports.
While the SEC has previously issued guidelines on reporting cyber incidents in 2011 and 2018, the recent rules represent a significant step forward in addressing the challenges of delays and insufficient details in reporting. This new set of guidelines mandates that companies report “material” cyber incidents within four days, provide updates on previously disclosed incidents each quarter, and annually report on their cybersecurity risk management strategy. It also requires companies to adopt controls to mitigate cyber risk.
The requirement to report a material incident within four days may pose challenges for organizations that do not have integrated systems for data aggregation and sharing. To meet this requirement, organizations need to be proactive in collecting data and continuously monitoring their controls. Implementing a holistic approach to security and compliance, including risk assessment, real-time continuous compliance monitoring, and effective communication, is crucial for organizations to meet the reporting requirements with less effort and disruption to ongoing activities.
The new guidelines also emphasize the need for boards of directors to have a deeper understanding of cyber risk and security. Companies are required to disclose the extent to which the board is informed about cybersecurity and how the organization is implementing cybersecurity tactics and best practices. Educating board members on cybersecurity and translating cyber risks and their impact into financial terms are critical steps for organizations to take.
A proactive approach to risk management is at the heart of the new rules, as they emphasize the need for organizations to understand their cyber risk posture and take action if a risk is realized. This requires organizations to make risk a part of every conversation and have a 360-degree view of cyber risk and its constituent parts, such as vulnerabilities, threats, and third parties.
Overall, the new rules are not intended to upend enterprises but rather to encourage transparency and accountability. Companies that have been proactive in cybersecurity and risk management will find it easier to adhere to the reporting requirements. With a proactive approach, companies will be better prepared to monitor for threats and vulnerabilities, reporting them quickly as they arise.
Meghan Maneval, the Director of Technical Product Management at RiskOptics, stresses the importance of a proactive approach to cybersecurity and risk management in meeting the new reporting requirements. Having managed security, compliance, audit, governance, and risk management programs in highly-regulated industries for over 15 years, Meghan emphasizes the need for companies to continuously monitor and test for control failures and communicate cyber risks in financial terms to board members. By embracing a proactive approach to cybersecurity and risk management, companies will be better prepared to meet the reporting requirements and ensure transparency and accountability.