Cybersecurity management and execution is quickly shifting from a luxury to a requirement for businesses of all kinds. And a proposed ruleset from the Securities and Exchange Commission (SEC) is yet another driving force behind the change. The SEC oversees financial operations for corporations that trade in public exchanges and enforces laws preventing financial fraud.
For companies that report to the SEC, including foreign private issuers (FPIs), this new ruleset may regulate how they disclose cybersecurity incidents, processes, and expertise. As proposed, these new rules would apply to corporate leadership and boards of directors of any company reporting to the SEC under the Securities Exchange Act.
The proposal would require leaders to disclose cybersecurity incidents and mandate periodic updates on previous incidents. Other requirements include:
- Reporting on cybersecurity risk-management policies and procedures
- Oversight of cybersecurity risk
- Management’s involvement in cybersecurity risk management and assessment, as well as the implementation of cybersecurity and procedures
- Disclosures about cybersecurity expertise among the board of directors
Action on this new ruleset will take time. It would be surprising if it were approved prior to the end of the year. But if enacted, this ruleset may become a double-edged sword for companies reporting to the SEC. While it would enhance cybersecurity, it could also translate to increased costs, following a trend we’ve seen in other industries.
Following an Oversight Trend
Federal cybersecurity oversight began when the SEC established the Sarbanes-Oxley Act of 2002 (SOX) for the oversight of financial disclosures.
Then in 2003, healthcare saw increased federal cybersecurity oversight with the passage of the HIPAA Security Rule, which created regulations for e-PHI. The same year, CISA was established to evaluate cyber threats facing the U.S.
And most recently, in 2020, the CMMC, overseen by the DoD, was created to oversee cybersecurity standards related to government contracts.
Now it appears the financial industry may be next in line for more oversight. New cybersecurity compliance standards could improve trust and business relations between organizations as well as investors. And immature security postures could damage public opinion, limiting growth, especially in the event of security incidents.
Also, the ruleset could have civil and legal components, which would influence public relations. For example, non-compliance with SOX warrants significant penalties including fines, removal of listing from public trade exchanges, and criminal charges for corporate leadership. The SEC already has rules for reporting cybersecurity incidents, but the proposed ruleset could include more punitive measures if these events stem from improperly managed systems.
Setting New Standards
Like HIPAA, this SEC ruleset could lead to new compliance standards. On the one hand, this increases the need for cybersecurity training. Luckily, end-user cybersecurity training solutions are relatively affordable and common.
On the other hand, the proposal requires management and leadership involvement for some companies. This has a significant associated monetary cost. Chief Information Security Officers (CISOs) receive C-suite level salaries. Furthermore, if SEC auditing becomes comparable with HIPPA, there would be costs associated with that process as well.
Finally, there are fines to consider. While it’s likely that there will be an implementation grace period, fines likely will follow if companies fail to comply.
What This DOES NOT Mean
Fortunately, if these changes are approved, they won’t be happening overnight. Government wheels turn slowly, and we will likely be waiting for a few months before the new standards are set. A grace period also typically follows implementation. CMMC, for example, was enacted in 2020 and remains in a grace period.
And while CISOs will certainly be nice to have, they may not be required for all. Typically, standards adhere to scoping laid out by the regulating agency. For example, if a company does not meet certain requirements, like size, revenue, or feasibility of operations, having a CISO may not be required. This is like HIPAA, which is not 100 percent prescriptive and has scoped requirements. Companies also have the option of contracting out CISO services as a cost-saving option.
Finally, it’s safe to assume that current cybersecurity initiatives will not be jettisoned. Government regulations usually stick to well-established standards like NIST CSF and ISO27k series. If organizations are basing their cybersecurity blueprints on these frameworks, the only changes they’ll likely see are new expertise and reporting standards.
How Companies Can Prepare
While this change could be sweeping, there are steps that companies in the financial sector can take now to get ahead of it:
- Develop/review your incident response plan (IRP): Your IRP should cover how you’ll handle reporting breaches to the SEC. In the event of an incident, the bulk of your resources will be devoted to containment, business continuity, and remediation. Further complicating things, the timeline for disclosing the breach to the SEC could be short, underscoring the need for a reporting plan that’s simple and efficient. Spell out who will be responsible for what. Test this component of your IRP annually. To determine whether your IRP and infosec program are up to muster, check out our 5 Tips for Launching an Infosec Program.
- Review current security tools and practices: Now is a great time to make sure that your current tools are functioning properly, and that your policies and procedures are up to date. If you aren’t using continuous controls monitoring, now might be the time to start. You can learn more about some of the free-open source security tools that we’ve created in this overview. And if It's been a while since your last penetration test with social engineering, test again. It’s better to identify and close gaps now rather than later, when penalties may be involved. To learn more about the utility of penetration testing and vulnerability scanning, check out this explainer post.
- Develop cyber risk management methods: Inventory your digital assets. What do you have that could be useful to a malicious actor? Possibilities include customer data, proprietary information, or human resources data. Determine the impact of those risks and develop a Defense in Depth (DiD) strategy with compensating controls that make an exploit more difficult. Your DiD strategy should cover your people (end-user awareness training), processes (what they do to mitigate risk), and technology (risk mitigation tools). You can learn more about DiD, and how penetration testing assesses it, in this post.
Even if the proposed ruleset is never adopted, taking these steps will strengthen your organization’s cybersecurity posture. And in a world of increasing cybersecurity threats, enhancing your digital defenses is a true compounding investment.