A proposed regulation published last March by the Securities and Exchange Commission (SEC) would require listed companies to report cybersecurity incidents within 72 hours to investors, shareholders, and customers, as well as the Cybersecurity Infrastructure Security Agency (CISA). The proposal follows a downtrend in Form 8-K and 10-K cyber incident disclosures in 2020 and 2021, despite a record number of cyberattacks.
If passed by the full commission, organizations will have to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, as well as their ability to implement the registrant’s cybersecurity policies, procedures, and strategies.
A regulatory reawakening
March of last year saw the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed into law. This requires specific organizations that are attacked to report significant cyber incidents, in return, offering protections aimed at incentivizing them to report. The bill also requires these organizations to report certain ransomware payouts no later than 24 hours after making the payment.
The new proposed SEC regulation for public companies declares itself as more demanding and extensive. The transparency into cyber practices and incidents has turned from voluntary to mandatory for publicly-listed companies. The goal: the more extensive information-sharing should empower businesses to build more comprehensible actions and defences against one of the biggest risks facing businesses, and as described by SEC Chair Gary Gensler: “provide investors with consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs.”
The new regulation proposed by the SEC requires companies to disclose to CISA whether they have made cybersecurity a part of their business strategy, capital allocation, and financial planning. Boards are now being held accountable for cybersecurity oversight and must ensure their defenses are battle-ready to face the global threat landscape.
These widespread rules aim at increasing transparency for investors and stakeholders, allowing them to make informed decisions about their equity and data. Organizations will face large fines if they fail to comply with the SEC’s regulation, meaning investment in cybersecurity best practice and risk management has become more important than ever.
This new proposed regulation would, if passed, arrive in later on in 2023, and would no longer allow for passive and reactive approaches to cyber resilience. Mandating listed companies to disclose cyberattacks in record time would intensify the need for good governance and rigorous protections against attacks. To get ahead of the regulation, companies must fortify their cyber defenses to reduce the likelihood of a breach by testing their systems to failure.
Protect assets to mitigate risks
Now more than ever, shareholders will want to ensure that their assets are protected and that their investments will not dip due to damaging cyberattacks. Consequently, businesses must take action to protect their assets from hackers and avoid the potentially damaging declarations of breaches. Here are some actionable insights into how companies can meet the new SEC guidelines and implement effective cybersecurity plans:
Test by using cyber ranges
Cyber ranges let organizations create a high fidelity digital replica of their production network. Security teams can then launch cyberattacks against this simulation and the organization can assess the network’s ability to detect, identify, and respond to this attack. Companies can therefore test the efficiency of their people, processes, and technology within a guaranteed safe environment. Through the constant testing of their defensive technology, businesses can make the necessary changes to further enhance their cyber protection capabilities and empirically measure how effective their tools are.
Educate the team
An IBM study found that 95% of cyber security breaches result from human error. As a significant proportion of attack success result from manual faults, it’s essential to educate and test employees essential to maintain the secure running of daily operations. The SlashNext State of Phishing Report for 2022 uncovered more than 255 million attacks within six months —a 61% increase in the rate of phishing attacks compared to 2021. As this percentage could rise dramatically again in 2023, it’s vital to ensure that all employees receive in-depth training and are made hyper aware of possible cyber threats, reducing skill-based and decision-based errors.
Being prepared to face a cyberattack not only encompasses the protection of data and networks, but also the ability to ensure high uptimes on company systems and a swift recovery after an attack. Cyberattacks are inevitable, yet the ability to quickly recover the network after a breach minimizes the damage done to a data bank and successfully reassures investors.
- Keep cyber resiliency on the boardroom table.
The board should always have cyber resilience on its agenda and discussions with management should include the company’s cyber defense strategies. Successful cybersecurity means constantly testing and adapting to the evolving threat landscape. The more often boards are exposed to cyber incidents and their causes, the more confident they become in detecting and reacting to a breach.
Although the new SEC rules force companies to report cyberattacks, they do not advise companies on how to protect themselves from them. That responsibility now lies on individual organizations, as investors will continue to seek reassurance and quantifiable evidence of cyber protection. Building resilience in an organization requires proper oversight from the boardroom and in-depth strategizing surrounding the efficient testing of an organizations’ people, processes, and technology.
Despite the increasing rate of cyberattacks, new defense technologies give organizations the confidence to defend themselves and fight back against cybercrime. Companies must stay prepared to defend their confidential and immovable data to avoid the reputational and monetary damage as well as the loss in investor confidence which follows data leaks and cyber hijacking. Businesses must act now to avoid potential fines, reprimands, and lack of trust in their organization. Instead, they must ramp-up their defense strategies so they are ready to adhere to these new regulations head-on.
Lee Rossey, chief technology officer, SimSpace.