The U.S. Securities and Exchange Commission (SEC) is proposing new disclosure requirements by company boards regarding cybersecurity risk management, strategy, governance policies, procedures, and incidents. This would be an amendment to the Securities Exchange Act of 1934.
CyberHoot’s views these proposed SEC’s disclosure requirements as a response to the increasingly common cyberattacks on US and global companies of all sizes. Whether these new rules, if passed accomplishes their stated objective of using “a properly designed reporting system… to assist industry in establishing strong, attack-resistant systems” over time remains to be seen. What is clear, is that the time for companies to prepare is now. Establish and/or strengthen your risk management, policies and procedures ahead of these new rules if you want to avoid potential fines resulting from reporting compliance failures.
If enacted by the SEC, companies will have a timer running after a breach discovery. According to the SEC “reporting a cybersecurity incident within four days, not of the incident, but of the discovery” will be required. This means your Cybersecurity Incident Management Process (CIMP – you have one, right?) will need updating to include notification to the SEC under rules yet to be established in the pending legislation.
The SEC proposal includes disclosure rules for:
While the SEC’s proposal would stop short of charging company Boards or senior leaders with Crimes for compliance failures, they would have the right to levy fines. The sad truth of cyber-crime is that it never stops costing companies. There are a myriad of costs to a security breach to which the SEC is going to add another potential – “What if?” cost. Breach costs include the cost of stolen intellectual property, the cost of forensic investigations, brand and reputational damages, credit monitoring, cyber insurance premium escalations, and now, potentially fines for noncompliance with disclosure laws could be added to the mix.
Managed Service Providers (MSPs) ought to sit up and take note of this. CyberHoot has noticed that many MSPs have very little in place by way of processes and procedures. That won’t fly in these situations. Get your own MSP house in order. Build your cybersecurity program using a vCISO (virtual or fractional Chief Information Security Officer). These consultants, while scarce resources, are highly qualified to assist you in building repeatable processes and procedures not only for your MSP, but also for your clients. Know that Rome wasn’t built in a day and neither is your risk management program. The sooner you start the greater risk reduction you can gain before hackers strike and hold you, or one of your clients, out for ransom.
CyberHoot wants every company to approach cybersecurity with a prevention mindset. However, you must also plan for the worst. Build your cybersecurity incident management plans (CIMP) and schedule a practice session, known as a Table-Top exercise to work out the kinks. In a critical cybersecurity incident, you don’t want to leave anything to chance by not having it scripted. The eventual reporting requirements will lay bare either well laid plans or expose a lack of preparations which could easily lead to costly fines.
Source:
SEC Proposing new Cybersecurity Disclosure Rules
Additional Reading:
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Spoiler alert: If you’re still using “password123” or “iloveyou” for your login… it’s time for an...
Read more
CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...
Read more
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.
