The SEC recently approved new rules that requiring publicly traded companies to disclose all cybersecurity breaches that could impact their bottom lines within four days of an incident. The new rules also require companies to annually disclose information on their cybersecurity risk management and executive expertise in the field.
We sat down with Paul Truitt, Principal, National Cybersecurity Practice Leader at Mazars, to discuss the implications of this new set of rules on businesses.
What are the benefits of these rules for investors and public companies and how will additional transparency help close gaps in cybersecurity defense?
The benefits to investors are significant. Increasing the visibility for investors to invest in organizations that make appropriate investments in security controls to reduce the risk of significant impact of a data breach is something that will both create safer investments as well as improve the overall security of publicly traded organizations. Investors have visibility to many aspects of a business allowing decisions to be made about potential risks, but cybersecurity has been an area that is not openly shared unless formal audits are performed or a data breach exposes potential gaps. Even then, many times the audit is focused on one aspect of the business such as the financial system to allow financial auditors to trust the system. Additional transparency will create an additional cost to public companies but that cost can be funded with a reduction in overall risk and confidence from investors potentially creating a differentiator from competition allowing an increase in investment.
How can organizations prepare to comply with the new SEC guidelines for annual reporting on risk management strategies and what systems to implement to quantify risk?
An organization would be wise to invest in a security assessment by a trusted 3rd party utilizing an industry standard framework such as ISO 27001/27002, NIST 800-53, NIST Cybersecurity Framework. Developing a security program utilizing an industry best practice framework allows an organization to ensure they are making the right investments and developing a program to reduce risk in all areas of potential exposure. Once a more formal program has been established, organizations can invest in tools to help track controls such as a GRC toolset.
What are the steps smaller organizations that may not have a robust cybersecurity program in place should take (policies, monitoring services, incident response services, etc.) and what are the benefits of working with an outside party to develop these programs?
Regardless of size, the same set of controls should be put in place. Smaller organizations can significantly benefit from looking to a 3rd party to help assess areas of risk and prioritize investment in maturing their security program. Many services that may be self-managed by larger organizations can be provided by managed security service providers at a fraction of the cost for smaller organizations. The best starting point for a smaller organization is to bring in a 3rd party to assess the security program based on a defined framework (many times NIST CSF is a good starting point), perform an internal and external penetration test, and perform a cloud services configuration review to identify potential risks with use of cloud services.
What is the role of public company executives and board-level members in gaining a better understanding of the company’s cybersecurity risk and understanding these regulations and clarifications?
Oversight of the security program is the key role of executives and the board. Asking questions and evaluating the controls in place is a critical role that executives and boards should play. Reviewing outside assessments and penetration testing reports and asking about how security controls are being implemented (based on what framework), and how processes are being assessed for adherence to policies is something that should be part of regular updates with executive teams and boards.