The U.S. Securities and Exchange Commission (SEC) is proposing new disclosure requirements by company boards regarding cybersecurity risk management, strategy, governance policies, procedures, and incidents. This would be an amendment to the Securities Exchange Act of 1934.
CyberHoot’s views these proposed SEC’s disclosure requirements as a response to the increasingly common cyberattacks on US and global companies of all sizes. Whether these new rules, if passed accomplishes their stated objective of using “a properly designed reporting system… to assist industry in establishing strong, attack-resistant systems” over time remains to be seen. What is clear, is that the time for companies to prepare is now. Establish and/or strengthen your risk management, policies and procedures ahead of these new rules if you want to avoid potential fines resulting from reporting compliance failures.
Breach Reporting Timeline
If enacted by the SEC, companies will have a timer running after a breach discovery. According to the SEC “reporting a cybersecurity incident within four days, not of the incident, but of the discovery” will be required. This means your Cybersecurity Incident Management Process (CIMP – you have one, right?) will need updating to include notification to the SEC under rules yet to be established in the pending legislation.
Additional Proposed Rules:
The SEC proposal includes disclosure rules for:
- A registrants policies and procedures to identify and manage cybersecurity risks and how cybersecurity plays into business strategy, financial planning, and capital allocation.
- CyberHoot’s analysis: Companies will need a robust, documented, and regularly updated Risk Management Program.
- Management’s role in implementing cybersecurity policies and procedures.
- CyberHoot’s analysis: Companies will need Management approved policies and processes.
- Boards of Directors cybersecurity expertise, if any, and its role in assessing and managing cybersecurity risk will be required.
- CyberHoot’s analysis: A vCISO will be needed to build your cybersecurity program, inform and guide the board of directors on risks.
No Criminal Charges, only Fines
While the SEC’s proposal would stop short of charging company Boards or senior leaders with Crimes for compliance failures, they would have the right to levy fines. The sad truth of cyber-crime is that it never stops costing companies. There are a myriad of costs to a security breach to which the SEC is going to add another potential – “What if?” cost. Breach costs include the cost of stolen intellectual property, the cost of forensic investigations, brand and reputational damages, credit monitoring, cyber insurance premium escalations, and now, potentially fines for noncompliance with disclosure laws could be added to the mix.
MSPs play a significant role
Managed Service Providers (MSPs) ought to sit up and take note of this. CyberHoot has noticed that many MSPs have very little in place by way of processes and procedures. That won’t fly in these situations. Get your own MSP house in order. Build your cybersecurity program using a vCISO (virtual or fractional Chief Information Security Officer). These consultants, while scarce resources, are highly qualified to assist you in building repeatable processes and procedures not only for your MSP, but also for your clients. Know that Rome wasn’t built in a day and neither is your risk management program. The sooner you start the greater risk reduction you can gain before hackers strike and hold you, or one of your clients, out for ransom.
CyberHoot wants every company to approach cybersecurity with a prevention mindset. However, you must also plan for the worst. Build your cybersecurity incident management plans (CIMP) and schedule a practice session, known as a Table-Top exercise to work out the kinks. In a critical cybersecurity incident, you don’t want to leave anything to chance by not having it scripted. The eventual reporting requirements will lay bare either well laid plans or expose a lack of preparations which could easily lead to costly fines.