This guest blog was contributed by Devin Partida is the Editor-in-Chief of ReHack.com. Devin's work has been featured on Security Boulevard, AT&T Cybersecurity and Hackernoon.
Cybersecurity has been critical to running a large company as long as organizations have relied on digital tools. Now that the SEC has finalized a new set of security disclosure rules for publicly traded businesses, it’s even more important.
The SEC’s cybersecurity disclosure amendment took effect on Sept. 5, 2023, after the agency finalized the rules the prior July. The regulations require public companies to report significant security incidents and publish their methods of managing them. As organizations shift to comply with these rules, it’ll undoubtedly reshape how public businesses operate.
Transparency Is Essential
The most straightforward impact of the SEC’s cybersecurity disclosure rule is a growing demand for transparency. Many other regulations already have disclosure requirements. The GDPR requires companies to inform users of data breaches, but the new SEC rule takes these further.
The SEC rule applies to any publicly traded company in the U.S., covering some organizations that previously didn’t fall under any other security regulations. Under the new law, companies must report “material cybersecurity incidents” within four business days of identifying their impact. Consequently, these disclosures will likely happen before security teams resolve the issue.
It takes an average of 24 days to complete the investigation of a cyber incident, and most companies take 67 days to disclose it. Complying with new SEC requirements demands a much faster timeline. IT systems must maintain a significantly higher level of transparency to do that.
Response Times Must Be Fast
Public organizations must be able to respond quickly to potential breaches. The conventional timeline is far too slow to meet SEC requirements. Closing that gap will require many companies to take an entirely new approach to event discovery and response.
Businesses under the new SEC rule should consider embracing autonomous network monitoring. Automation streamlines breach incident reports without requiring a dedicated security team to monitor systems around the clock. These real-time alerts allow companies to reasonably comply with the four-day disclosure timeline.
Developing a formal response plan is another key part of accelerating response times. The SEC makes this easier in one sense by providing a specific form — Form 8-K — to report incidents. Still, organizations should also implement company-specific containment and communication plans.
Security Becomes a Stock Value Issue
Cybersecurity will become more of a business issue as companies start reporting cyber incidents under this rule. Now that the law requires these disclosures, public awareness around shortcomings will likely rise. Consequently, security incidents could drive people to sell or avoid buying stocks, devaluing the company.
Public businesses hoping to remain valuable must embrace higher security standards. Pursuing third-party certification is an ideal method. The same NIST special publications federal agencies must meet serve as helpful optional standards for commercial organizations.
Achieving government security standards and other third-party certifications proves to potential shareholders that the company takes safety seriously. Adopting these more secure practices will also prevent incidents requiring reporting, keeping the business in a positive public light.
Management Bears More Responsibility
The SEC’s new rules also emphasize management’s role in governance. Businesses must describe the board of directors’ involvement as part of companies’ annual disclosures on how they identify and manage risks. While the rules don’t highlight many specific security standards, this clause suggests it must be a matter of leadership.
This emphasis on management means cybersecurity must become an active company priority. People in leadership roles should become models of best security practices, and boards should make their review and discussion part of every strategic meeting. Cybersecurity will no longer be an afterthought or solely the realm of IT but a driving force behind corporate decision-making.
This shift is important because 60% of cybersecurity professionals say users with far-reaching access privileges pose the largest insider threat risks. Placing the onus of better security on upper management makes businesses tackle these vulnerabilities head-on.
Companies Face Challenging Balancing Acts
In many ways, the SEC’s new cybersecurity regulations will improve many businesses from a security perspective. However, the rule also poses some challenges. One of the most significant is balancing complying with quick, informative disclosures and maintaining privacy.
Because the disclosure timeline is so tight, organizations will likely have to make public statements while actively dealing with the threat. Cybercriminals who hear of the steps they’re taking may change their attack vector or escalate the situation. Alternatively, businesses may risk exposing sensitive information by revealing too much about their plans.
Emphasizing response speed through thorough training and automation will help companies secure more of the situation before disclosing it. Businesses must also review the specific letter of the law before publishing any disclosures to see what information they must reveal. The best way forward is to leave out as many identifiers or potentially sensitive data as possible.
It’s Time for Public Companies to Embrace Cybersecurity
The SEC’s new cybersecurity disclosure rule brings legal consequences to what businesses should’ve already been doing. It’s time for publicly traded organizations to prioritize security if they haven’t already.
Many businesses face challenging shifts ahead of them. Tackling them well will make them better off in terms of cybersecurity and their performance in the stock market. ###