New Cybersecurity Rules Proposed by SEC

29th November 2022 | Blog New Cybersecurity Rules Proposed by SEC

New Rules Proposed by SEC

The U.S. Securities and Exchange Commission (SEC) is proposing new disclosure requirements by company boards regarding cybersecurity risk management, strategy, governance policies, procedures, and incidents.  This would be an amendment to the Securities Exchange Act of 1934.

CyberHoot’s views these proposed SEC’s disclosure requirements as a response to the increasingly common cyberattacks on US and global companies of all sizes.  Whether these new rules, if passed accomplishes their stated objective of using “a properly designed reporting system… to assist industry in establishing strong, attack-resistant systems” over time remains to be seen.  What is clear, is that the time for companies to prepare is now. Establish and/or strengthen your risk management, policies and procedures ahead of these new rules if you want to avoid potential fines resulting from reporting compliance failures.

Breach Reporting Timeline

If enacted by the SEC, companies will have a timer running after a breach discovery.  According to the SEC “reporting a cybersecurity incident within four days, not of the incident, but of the discovery” will be required.  This means your Cybersecurity Incident Management Process (CIMP – you have one, right?) will need updating to include notification to the SEC under rules yet to be established in the pending legislation.

Additional Proposed Rules:

The SEC proposal includes disclosure rules for:

  • A registrants policies and procedures to identify and manage cybersecurity risks and how cybersecurity plays into business strategy, financial planning, and capital allocation.
    • CyberHoot’s analysis: Companies will need a robust, documented, and regularly updated Risk Management Program.
  • Management’s role in implementing cybersecurity policies and procedures.
    • CyberHoot’s analysis: Companies will need Management approved policies and processes.
  • Boards of Directors cybersecurity expertise, if any, and its role in assessing and managing cybersecurity risk will be required.
    • CyberHoot’s analysis: A vCISO will be needed to build your cybersecurity program, inform and guide the board of directors on risks.
No Criminal Charges, only Fines

While the SEC’s proposal would stop short of charging company Boards or senior leaders with Crimes for compliance failures, they would have the right to levy fines. The sad truth of cyber-crime is that it never stops costing companies.  There are a myriad of costs to a security breach to which the SEC is going to add another potential – “What if?” cost.  Breach costs include the cost of stolen intellectual property, the cost of forensic investigations, brand and reputational damages, credit monitoring, cyber insurance premium escalations, and now, potentially fines for noncompliance with disclosure laws could be added to the mix.

MSPs play a significant role

Managed Service Providers (MSPs) ought to sit up and take note of this.  CyberHoot has noticed that many MSPs have very little in place by way of processes and procedures.  That won’t fly in these situations.  Get your own MSP house in order. Build your cybersecurity program using a vCISO (virtual or fractional Chief Information Security Officer).  These consultants, while scarce resources, are highly qualified to assist you in building repeatable processes and procedures not only for your MSP, but also for your clients.  Know that Rome wasn’t built in a day and neither is your risk management program.  The sooner you start the greater risk reduction you can gain before hackers strike and hold you, or one of your clients, out for ransom.

Conclusion:

CyberHoot wants every company to approach cybersecurity with a prevention mindset.  However, you must also plan for the worst. Build your cybersecurity incident management plans (CIMP) and schedule a practice session, known as a Table-Top exercise to work out the kinks.  In a critical cybersecurity incident, you don’t want to leave anything to chance by not having it scripted.  The eventual reporting requirements will lay bare either well laid plans or expose a lack of preparations which could easily lead to costly fines.

Secure your business with CyberHoot Today!!!


Sign Up Now

Source:

SEC Proposing new Cybersecurity Disclosure Rules

Full SEC Fact Sheet

Additional Reading: 

SEC Cybersecurity Risk Management Report to Congress

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

184 Million Passwords Leaked: Is Your Digital Doppelgänger Out There?

184 Million Passwords Leaked: Is Your Digital Doppelgänger Out There?

Spoiler alert: If you’re still using “password123” or “iloveyou” for your login… it’s time for an...

Read more
CyberHoot Newsletter – June 2025

CyberHoot Newsletter – June 2025

CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...

Read more
Make Phishing Training Count with HootPhish

Make Phishing Training Count with HootPhish

Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...

Read more