🏛 What the SEC May Have in Store for Cybersecurity
Author: Mick Woodward @GoVanguard
Originally Featured on GoVanguard Security’s Blog.
Cybersecurity management and execution is quickly shifting from a luxury to a requirement for businesses of all kinds. And a proposed ruleset from the Securities and Exchange Commission (SEC) is yet another driving force behind the change. The SEC oversees financial operations for corporations that trade in public exchanges and enforces laws preventing financial fraud.
For companies that report to the SEC, including foreign private issuers (FPIs), this new ruleset may regulate how they disclose cybersecurity incidents, processes, and expertise. As proposed, these new rules would apply to corporate leadership and boards of directors of any company reporting to the SEC under the Securities Exchange Act.
Some other requirements would include:
- Report “material cybersecurity incidents” to the SEC within 4 days
- Report non-material incidents that, when combined with other incidents, become material “in the aggregate”
- Provide updates on prior incidents in periodic SEC disclosures
- Provide a description of the company’s cybersecurity risk management system
- Describe the Board’s oversight of cybersecurity risk
- Disclose the cybersecurity expertise of the Board members
In reality this means senior leadership will be held to a higher standard, and more detailed, cybersecurity documentation will be required.
Action on this new ruleset will take time. It would be surprising if it were approved prior to the end of the year. But if enacted, this ruleset may become a double-edged sword for companies reporting to the SEC. While it would enhance cybersecurity, it could also translate to increased costs, following a trend we’ve seen in other industries.
📊 Following an Oversight Trend
Federal cybersecurity oversight began when the SEC established the Sarbanes-Oxley Act of 2002 (SOX) for the oversight of financial disclosures.
Then in 2003, healthcare saw increased federal cybersecurity oversight with the passage of the HIPAA Security Rule, which created regulations for e-PHI. The same year, CISA was established to evaluate cyber threats facing the U.S.
And more recently, in 2020, the CMMC, overseen by the DoD, was created to oversee cybersecurity standards related to government contracts.
Now it appears the financial industry may be next in line for more oversight. New cybersecurity compliance standards could improve trust and business relations between organizations as well as investors. And immature security postures could damage public opinion, limiting growth, especially in the event of security incidents.
Also, the ruleset could have civil and legal components, which would influence public relations. For example, non-compliance with SOX warrants significant penalties including fines, removal of listing from public trade exchanges, and criminal charges for corporate leadership. The SEC already has rules for reporting cybersecurity incidents, but the proposed ruleset could include more punitive measures if these events stem from improperly managed systems.
📝 Setting New Standards
Like HIPAA, this SEC ruleset could lead to new compliance standards. On the one hand, this increases the need for cybersecurity training. Luckily, end-user cybersecurity training solutions are relatively affordable and common.
On the other hand, the proposal requires management and leadership involvement for some companies. This has a significant associated monetary cost. Chief Information Security Officers (CISOs) receive C-suite level salaries. Furthermore, if SEC auditing becomes comparable with HIPPA, there would be costs associated with that process as well.
Finally, there are fines to consider. While it’s likely that there will be an implementation grace period, fines likely will follow if companies fail to comply.
🤔 What This DOES NOT Mean
Fortunately, if these changes are approved, they won’t be happening overnight. Government wheels turn slowly, and we will likely be waiting for a few months before the new standards are set. A grace period also typically follows implementation.
And while CISOs will certainly be nice to have, they may not be required for all. Typically, standards adhere to scoping laid out by the regulating agency. For example, if a company does not meet certain requirements, like size, revenue, or feasibility of operations, having a CISO may not be required. This is like HIPAA, which is not 100 percent prescriptive and has scoped requirements. Companies also have the option of contracting out CISO services as a cost-saving option.
Finally, it’s safe to assume that current cybersecurity initiatives will not be jettisoned. Government regulations usually stick to well-established standards like NIST CSF and ISO27k series. If organizations are basing their cybersecurity blueprints on these frameworks, the only changes they’ll likely see are new expertise and reporting standards.
🔒 How Companies Can Prepare
While this change could be sweeping, there are steps that companies in the financial sector can take now to get ahead of it:
- Develop/review your incident response plan (IRP): Your IRP should cover how you’ll handle reporting breaches to the SEC. In the event of an incident, the bulk of your resources will be devoted to containment, business continuity, and remediation. Further complicating things, the timeline for disclosing the breach to the SEC could be short, underscoring the need for a reporting plan that’s simple and efficient. Spell out who will be responsible for what. Test this component of your IRP annually. To determine whether your IRP and infosec program are up to muster, check out our 5 Tips for Launching an Infosec Program.
- Review current security tools and practices: Now is a great time to make sure that your current tools are functioning properly, and that your policies and procedures are up to date. If you aren’t using continuous controls monitoring, now might be the time to start. You can learn more about some of the free-open source security tools that we’ve created in this overview. And if It's been a while since your last penetration test with social engineering, test again. It’s better to identify and close gaps now rather than later, when penalties may be involved. To learn more about the utility of penetration testing and vulnerability scanning, check out this explainer post.
- Develop cyber risk management methods: Inventory your digital assets. What do you have that could be useful to a malicious actor? Possibilities include customer data, proprietary information, or human resources data. Determine the impact of those risks and develop a Defense in Depth (DiD) strategy with compensating controls that make an exploit more difficult. Your DiD strategy should cover your people (end-user awareness training), processes (what they do to mitigate risk), and technology (risk mitigation tools). You can learn more about DiD, and how penetration testing assesses it, in this post.
Even if the proposed ruleset is never adopted, taking these steps will strengthen your organization’s cybersecurity posture. And in a world of increasing cybersecurity threats, enhancing your digital defenses is a true compounding investment.
Fun Footer Stuff:
Copyright 2023 Enclave Regenerous. All of our work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Simply put, please share it, provide attribution and if you remix it then share generously with others. The work of others that is featured on this site is always provided with attribution and is not directly monetized.
The opinions expressed here are respectively our own and do not reflect the views of our organization or anyone else unless quoted verbatim.
We try our best to provide helpful insight to folks but there is no warranty to completeness of anything we create or post here; so please be sure to always do your own research.