We sat down with Fayyaz Makhani, Security Architect at VikingCloud, to discuss the challenges business leaders currently face with the SEC’s latest ruling on incident disclosures and the steps they can take to make compliance less daunting.
We explore the critical need for robust incident response plans in light of these new regulations and discuss how a unified approach to cybersecurity between CISOs and boards can ensure compliance and enhance overall security posture.
Why has the SEC not punished any of these companies for failing to uphold the new disclosure standards?
The disclosure requirements went into effect for fiscal years ending December 15, 2023, and after. The SEC has not been shy about enforcement of similar disclosure requirements; take the example of SEC's case against Blackbaud, Inc. which settled in 2023. In due course, we fully expect that this type of disclosure and evasion will be duly enforced. If an organization does not have a robust incident response plan in place already, they are behind in being prepared to comply with this regulation.
How business leaders can more effectively structure their incident response plans to align with the new SEC requirements - and why robust incident response plans are the most important cybersecurity measure that needs updating?
Start with a review of incident response plans with special attention to events and indicators that point to an incident. In our research, it has taken some companies more than 180 days to identify an incident. Per the new regulation, that is 176 days late and could put companies in the crosshairs of major penalties.
Next, work with legal and finance teams to understand “materiality” so that proper feedback can be provided to those teams.
Finally, ensure that there is an open communication channel amongst the leadership and board members.
How can organizations start pushing for a more unified, comprehensive approach to cybersecurity between CISOs and Boards - and how this will help ensure compliance with the SECs new regulation?
To be successful, this needs to be a collaborative effort. The starting point can be as simple as the board, in its leadership role, establishing regular and meaningful reviews of internal cyber policies. Knowledge gained from these reviews can bring to light areas that require additional support and security objectives that need to be realigned to the business objectives.