There are concerns about the new regulations which the US SEC has adopted. Firms think the rules may be aiding cyber-criminals.
The Securities and Exchange Commission (SEC) has applied a new rule for cyber-breach disclosure. It will impact all companies and force them to strengthen their security practices and policies.
The SEC has recently adopted an improved cyber-disclosure regulation. It claims its commitment to openness and risk control in the sector, and seeks to safeguard clients.
Corporate leaders need to be aware of the key components of the new rules:
1. Disclosure of significant cyber-security incidents
Once it is sure that an incident is confirmed, companies must disclose it within four business days.
2. Annual reporting
Firms need governance, risk management, and security reporting. Every year, businesses have to report new cyber-security disclosures, such as:
- Processes for evaluating, identifying, and managing material risks
- Any tangible consequences of risks from cyber-threats
- Earlier cyber-incidents
- Any actual effects that are likely to happen.
- Foreign private issuers will need to provide the SEC with comparable disclosures.
3. Industry Reacts
Industry experts have opinions on the advantages, potential drawbacks, and difficulties. Some executives have praised the SEC’s initiative.
Richard Suls, WithSecure’s security and risk management consultant, applauds the rule, saying, “It is a significant step in the right direction. There are many potential advantages for investors as well as the security environment. This rule represents a significant shift in handling and disclosing cyber breaches.”
Applauding the timing of the new rules, Sylvain Cortes, VP of Strategy at Hackuity, notes,
“The White House’s new strategy is a wakeup call. We have to close the frightening gap between cybersecurity supply and demand. Beyond the enduring individual and organizational duties, there is a national security imperative. To put it simply, it takes a village. Security does not and cannot operate in a vacuum. The sooner entities can align security standards, the more secure our world will become. Today’s announcement is one step closer to that.”
Agrees Darren Williams, CEO and Founder of Blackfog, “These new regulations should dramatically change the way companies report breaches. They are now mandatory requirements. BlackFog has tracked the reported to unreported ransomware ratio since January of 2023. It has seen a 10:1 ratio of unreported to reported attacks.”
Williams hopes to see this drop with these mandatory reporting rules. “Data exfiltration is the preferred tactic of all ransomware today (89%). It is something that almost all companies have overlooked. Attacks are now at an all-time high. Organizations need to keep pace with new methods to prevent these attacks.”
With these new regulations, he also hopes there will be a stop to the general trend of trying to hide any attacks for fear of retribution. “They must as well stop ransomware payments to cybercriminals in the process.”
Some other industry leaders worry that the disclosure requirements may aid cybercriminals. It can give them access to information they can use for hacking and extortion.
The impact of the new rules will also bring out the technology conundrum. This applies more to the fast-adopted tech tools like AI.
Nitzan Shaer, co-Founder, and CEO of WEVO, says firms must remain vigilant about this.
“The promise of AI holds deep ramifications for the consumer internet. The experience we have every day in an increasingly AI-driven world. These developments recognize the potential of AI. The commitments also highlight the importance of reliable and responsible user testing. It can address bias and discrimination.”
“AI’s transformative impact on our daily lives is all but inevitable. We must embrace the responsible use of technology. Firms must focus on safeguards and guardrails to maximize their potential while mitigating risks.
About Alphabet’s new AI tool, he adds, “it will help journalists in validation for most accepted forecasts. AI could generate the majority of the internet’s content within a decade. Given this explosion, we must remain vigilant about vetting information produced by AI.”
Some industry leaders differ with the focus of the new rules. Dd Budiharto, CISO, Board Member, Founder of Cyber Point Advisory, has his concerns.
He feels that while large businesses must follow the ruling, smaller ones will need the capital to place it. Lawmakers need to come up with ways to support them.
He adds, “The equalizing period will take a while, but it’s a start. Many CISOs are already burnt out, and there is a need for more qualified CISOs globally. CISOs are expected to be a unicorn already. This ruling may push them over the edge if they don’t receive the desperately needed support. This ruling does not support SMBs (small and medium businesses).”
Organizations have to now prepare for and comply with the new disclosure rules.
4. Maintaining The New Standards
The SEC requirements establish a clear new standard that is challenging to adhere to. Scaling visibility across the global ecosystem is difficult and requires cooperation and standardization. Organizations will now need sharper internal and external processes.
Organizations now need to understand their cyber-security posture better internally. It now applies to their end-to-end supply chain. This gives them the information they need to disclose to all their stakeholders. There is an applicable regulatory framework in every jurisdiction.
This regulation improves their risk management strategies while boosting cost-effectiveness. With this deeper insight, they can identify potential weaknesses. Then, they can optimize internal controls.
5. Things to do right away
The chances of a security incident are rising across all industries. But, a company controls how it plans for and handles a crisis. Here are some tips corporate executives can follow in light of these new regulations.
- Bring together executives from various business divisions.
- Discuss how these regulations may affect the company’s crisis management strategies.
- Key departments like IT, legal, finance, HR, and government relations should be at the table. They can ensure a coordinated approach.
- Discuss the impact of these regulations on current strategies and procedures.
- Plan if the company needs to revise the current strategies.
Make sure to adhere to the rules completely till December 18, 2023. Ensure the firm adheres to the incident disclosure requirements. To develop muscle memory, revise security incident response plans, and run simulations.
To ensure that leaders know their respective responsibilities:
- Update existing plans and protocols, and socialize them internally.
- Before a genuine crisis arises, conduct tabletop exercises. Pressure test these plans and give staff members practice for responding. Organize mock tests for real cyber-security incidents.
- Use crisis management exercises to update business continuity planning. Ensure that strategies consider the risk of significant and sustained operational impairment.
These occur with ransomware and other pervasive cyber-security threats.
- Prepare the company’s annual report to include information about security risk management. With the company’s yearly reporting process, review the currently available information.
- Spot any potential gaps, and start planning the narrative you will use to describe security risk management. Firms will have to disclose strategy and governance.
How enterprises can benefit from the rules
- The mandatory disclosure of cyberattacks within a predetermined timeframe will increase accountability. It will also ensure transparency.
- Companies can prevent delaying information about cyber-incidents by imposing a strict deadline.
- They can ensure that stakeholders and investors are promptly informed. There are potential financial repercussions resulting from breaches. This will aid in avoiding the falsification of financial data.
- The new regulation may serve as a powerful security policy inducement for businesses. They can devote more funds to incident response and cyber-security measures.
Companies will think twice before publicizing a cyber-attack. It has a financial as well as brand impact.
- The new rule can increase the corporate sector’s resilience. Firms are likely to make some decisions to abide by the rules, such as increasing costs on:
- Cutting-edge security technologies
- Threat intelligence
- Employee training
- Proactive risk assessments
Disclosing “material” impacts can help realize the financial repercussions of cyberattacks. By exchanging this knowledge, businesses can benefit from one another’s experience. They can create industry-wide best practices for incident response and mitigation.
It can get difficult for threat actors to exploit shared vulnerabilities across organizations. This is a collaborative approach to security.
Issues with implementing the rule
It’s important to recognize that businesses will face difficulties implementing this rule. It might only sometimes be possible to comprehend the scope of a cyber-attack. The period is as little as four days.
In some circumstances, businesses may need more time to complete in-depth investigations. Only then can they accurately predict the financial effects. To allay this worry, the SEC should consider establishing preliminary information rules.
They can allow businesses to provide updates as they become available. A damaged reputation and class actions may cause more harm than a fine.
Employees might also need clarification about the disclosure. Firms should inform their workers that a breach is only sometimes a breach. Referring to a security incident as a “data breach” will not subject the company to SEC requirements. Use the term incident until you are certain a breach has occurred.
Here are a few things CIOs and CISOs can ensure:
-
Choose discretion over rules
Adopting a compliance-based approach to cyber security may make it simpler to pass client audits. But, it may not make you secure. Standards take a long time to develop and implement, and the cyber-threat has evolved by the time they do.
They also reflect the least capability that standard-setters believe to be generally appropriate. They are not an aspirational capability. Examine consensus-driven standards. Develop a logical, defendable cyber-risk strategy unique to your organization.
-
Know how to play the game
Make those in charge of risk management define the cyber-risk management strategy. Avoid the mistakes made by financial sector regulators. Rating agencies are subject to market pressure.
They are not in charge of managing banking risk. They were responsible for the financial crisis of 2007. They assigned low-risk ratings to financial products like collateralized debt obligations. Executives must “play by the rules.”
Also Read: Busting the Top Cybersecurity Myths: Insights for CISOs
-
Use a barbell security approach
It combines low-risk and high-risk risk management techniques while avoiding the middle path. Protect your IT systems that host your critical data to the greatest extent possible.
If necessary, take more risks with the rest of your network. Put more emphasis on resilience than security.
-
Practice what you would do in the event of a security incident.
Regular security incident response fitness testing protects your company from a breach. Control the language the incident response team uses when communicating. It may be used as evidence in court. Make plans for completely rebuilding your IT.
Companies that have mastered operating without IT or even internet access are the most resilient.
In conclusion, the open disclosure of cyberattacks is a commendable effort. It can strengthen cybersecurity practices and protect investor interests.
Adopting this new regulation will force businesses to prioritize protecting their confidential data. They will focus on financial assets and take cyber-threats more seriously.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.