Page 160 - Cyber Defense eMagazine September 2023
P. 160
The final rule also requires companies to describe their cybersecurity risk management, strategy and
governance and how they are maintaining and assessing their security program in their annual Form 10-
K filings. The implications of this new obligation are widespread and will stimulate a new era of cyber
transparency for investors, the media and other key stakeholders. It ratchets up an already intense level
of scrutiny on executives, particularly CTOs, CIOs and CISOs, who must now develop and execute yet
another strategic program to strengthen and report on their cybersecurity posture.
Building stakeholder confidence through clarity
The new regulations will give investors and other stakeholders a new level of visibility into the
cybersecurity approach of the organizations they invest in and follow. By mandating that companies
disclose cyber incidents, the SEC is giving stakeholders a window into the threats facing enterprises and
how well and how often they thwart these threats...or otherwise.
Similar to how external stakeholders now evaluate publicly available financial information to judge how
well a company executes on its business model, they soon will be able to evaluate how successfully an
enterprise is implementing its cyber strategy. Historically, cybersecurity has been a relatively obscure
domain when assessing a business, with information usually coming to light through voluntary reporting
from affected companies – sometimes well after the event. For example, a large service provider to
managed-healthcare organizations reported in March 2023 that a data breach had impacted 4.2 million
individuals. The incident occurred nearly one year prior to the public disclosure.
After the new SEC reporting rules take effect, however, the potential repercussions are almost limitless
to consider. Will securities analysts grill executives during earnings calls about reported data breaches
or gaps in their security program? Will we see journalists publishing league tables of companies that file
the most cyber-attack disclosures or grading them on their security control frameworks?
Strengthening cybersecurity through accountability
Apart from being required to report material cyber events almost immediately, public companies will also
need to provide annual disclosures about their cyber risk management strategies and the cyber expertise
of the company’s executives. This not only adds an additional layer of accountability for companies, but
also presents an opportunity to strengthen current risk management strategies.
As organizations think about developing more comprehensive risk management strategies in response
to the SEC’s admonition, they may want to consider investing in performing an annual security
assessment by a trusted third party. By making certain their organization complies with industry standards
such as ISO 27001/27002, NIST 800-53 or NIST Cybersecurity Frameworks, business leaders can better
position themselves and their teams to identify risks, implement controls and reduce the chance for
trouble in areas of potential exposures.
Partnering with trusted third parties that track the latest threats — and cutting-edge mitigation strategies
and tools — can benefit almost any organization. But this tactic can be particularly important for smaller
Cyber Defense eMagazine – September 2023 Edition 160
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.