Page 188 - Cyber Defense eMagazine April 2023
P. 188

SEC Changes the Game

            It's human nature to hide flaws and imperfections, but daily headlines blaring the latest breach have
            inspired the Securities and Exchange Commission to turn that instinct upside down with new disclosure
            requirements. A proposed SEC ruling will force public companies to disclose material security incidents
            within four days. “Material” means anything that could impact a company’s stock price – which is nearly
            impossible  to  determine  that  fast.  This  implies  legally  actionable  consequences  based  on  far  more
            uncertain criteria than the conventional governance and compliance standards that security managers
            are used to dealing with.


            If this proposal becomes law, it will eclipse the historical impact of the Sarbanes-Oxley Act 20 years ago,
            which  was  implemented  by  Congress  in  reaction  to  corporate  accounting  scandals.  When  public
            companies adopt this new level of reporting, it will inevitably trickle down into the greater private sector,
            forcing the hand of corporate communications and investor relations teams to engage immediately with
            constituents, especially investors.



            The Path to Cyber Investor Confidence


            There’s a lot of work to be done to refocus marketing on cyber with a strategy of ultra-transparency! In a
            recent Forrester survey, security decision-makers ranked investors last on their list of stakeholders to
            receive  cyber  performance  reporting.  In  stark  contrast,  investors  surveyed  by  RBC  Global  Asset
            Management identified security as one of their most important governance issues.


            In  this  significant  change  management  moment,  marketing  teams,  legal,  and  investor  relations
            professionals  must  adopt  a  new  discipline:  integrate  cyber  assurance  into  customer  and  investor
            communications.  Here  are  the  top-five  enterprise  strategies  to  help  close  the  gap  between  security
            posture and market confidence:


               •  Establish an investor relation cyber program
                       o  Build and leverage a corporate Trust Center that is featured prominently on your
                          company’s website and within investor communications. The Trust Center should
                          showcase risk management priorities, security policies, privacy assurance practices, and
                          compliance information across all divisions and product lines.
                       o  Within the Trust Center, use compliance frameworks as your “seals of approval.” These
                          provide proof points that connect security posture with operational resilience and brand
                          trust.

               •  Link security posture to performance metrics
                       o  Provide visibility to investors through presentations and regular financial reporting that
                          validates management’s intentions and demonstrates your cyber program's
                          effectiveness. Investors value quantitative, objective metrics regarding cybersecurity
                          performance and outcomes, always in context with policies, controls, governance, and
                          procedures.







                                                                                                             188
   183   184   185   186   187   188   189   190   191   192   193