Contributor Insight: Navigating Cybersecurity Risk Management Strategy in the Face of New SEC Rules

Submitted by: ProcessUnity

Author: Sophia Corsetti

Contributor Insight - On July 26th, the Securities and Exchange Commission (SEC) adopted long-anticipated rules that require public companies to disclose material cybersecurity incidents and their cybersecurity risk management strategy. These rules are designed to provide greater transparency and keep investors and the public informed about a company’s cybersecurity resilience and recovery efforts.

The new rules add another layer of complexity to the growing list of cyber reporting and compliance requirements. Many organizations are now required to establish a formalized cybersecurity risk management and governance framework. This entails regular risk assessment, the development of mitigating actions, and effective communication with stakeholders.

This article delves into the implications of the new SEC rules and outlines the anticipated next steps that organizations need to take in order to comply with these requirements and enhance their cybersecurity practices.

Understanding the New SEC Rules

The key provisions set forth by the SEC revolve around incident reporting and cybersecurity risk management, governance, and strategy disclosure. These provisions include:

• Disclosure of Material Cybersecurity Incidents: Companies must report a material cybersecurity incident within four business days using a form 8-K. The SEC defines "material" incidents as those that have a substantial likelihood of influencing an investor's decision. This definition encompasses both qualitative and quantitative factors, such as reputation, competitiveness, relationships, and financial losses. It's crucial to note that materiality determinations must be made promptly. This requirement compels companies to swiftly identify and respond to material incidents, fostering a proactive approach to cybersecurity risk.
• Disclosure of Cyber Risk Management Strategy and Governance: Companies are required to submit an annual description of their processes for assessing, identifying, and managing material risks from cybersecurity threats. This description should provide sufficient detail for investors to understand these processes. The SEC also mandates the disclosure of corporate governance, including the board's oversight of cybersecurity threats' risks and management's role in addressing them.

While these new rules offer benefits by prompting companies to take decisive action in managing cybersecurity risk, they also raise concerns. Public disclosure of cybersecurity practices may inadvertently expose sensitive information to malicious actors.

Impact on Current Cybersecurity Practices

The introduction of these SEC rules necessitates the establishment of formalized cybersecurity risk management programs. This includes defining procedures and accountability. Previously, cybersecurity risk management was often embedded within a broader risk practice. However, the increased regulatory focus on this domain implies its growing significance in the years ahead.

Companies are now tasked with forming a cybersecurity risk committee and consistently updating it. These rules signal a shift in the allocation of cybersecurity responsibilities. The onus is no longer solely on the Chief Information Security Officer (CISO); instead, board members must be informed about cybersecurity practices and participate in risk decisions. Investing in cybersecurity best practices becomes imperative.

Enhancing Cybersecurity Practices for Compliance

As the new SEC rules roll out in the coming months, companies should take immediate steps to develop their cybersecurity risk management practices. Here are practical measures that cybersecurity leaders can adopt:

1. Baseline Cybersecurity Requirements: Identify frameworks, regulations, and standards aligned with your organization. Map these requirements to your controls and policies to identify gaps and areas for improvement. Utilize tools like the Secure Controls Framework, which offers pre-built control mappings across common frameworks.
2. Regular Risk Assessments: Continuously identify, assess, and rate cybersecurity risks. Develop a risk assessment methodology, including a risk register. Translate risk assessment data into terms understandable by the business.
3. Create an Incident Management Process: Establish a process for rapidly identifying and responding to incidents. Implement automation to track incidents and mitigation efforts. Maintain visibility into the organization's response to material events.
4. Regular Reporting on Findings: Gather high-quality data quickly to keep board members informed. Utilize a cybersecurity risk management platform to aggregate information needed for incident reports.

Conclusion

The SEC's adoption of new rules mandating the disclosure of material cybersecurity incidents and risk management strategies marks a pivotal step toward transparency and accountability. While these rules introduce both benefits and concerns, they encourage companies to proactively manage cybersecurity risks. The evolving role of the CISO and board involvement underscore the growing importance of cybersecurity risk management.

To comply with these rules and enhance cybersecurity practices, organizations must promptly establish formalized risk management frameworks. Regular risk assessments, incident management processes, and the use of cybersecurity risk management platforms are essential steps to thrive in the face of evolving cyber threats. Embracing these changes demonstrates a commitment to cybersecurity resilience and protection for investors and the public.