Page 161 - Cyber Defense eMagazine September 2023
P. 161

public companies that may lack a robust cybersecurity and reporting plan, as outside experts can act as
            a  team  extension  of  an  organization’s  existing  talent  when  it  comes  to  evaluating  vulnerabilities,
            rethinking investments, implementing controls and determining when and how to report the information
            the SEC will soon demand.




            The roles of executives and directors

            One of the most important aspects of this new rule is the involvement of executives and members of a
            company’s  board  of  directors,  as  their  engagement  in  and  understanding  of  the  organization’s
            cybersecurity posture become essential. Not only will this require a level of understanding of the new
            SEC  rule,  but  it  also  necessitates  adding  a  layer  of  governance  to  ensure  the  company  follows  it.
            Impacted  companies  should  immediately  begin  hosting  internal  conversations  between  executives,
            directors and the organization’s cybersecurity experts to provide a close look into current controls in place
            to assess their efficacy. This may include reviewing assessments from outside experts and penetration-
            testing reports. Additionally, executives and directors should ask questions about how security controls
            are being implemented and how processes are being assessed to gain further insight into the current
            controls in place — and areas for improvement.



            Final thoughts

            The  SEC’s  new  rule  marks  a  crucial  step  in  bridging  the  cybersecurity  information  gap  between
            organizations  and  external  stakeholders,  while  simultaneously  encouraging  public  companies  to
            reassess and strengthen their overall cyber strategies. For many enterprises, this will require a significant
            amount of work to be accomplished before the rule takes effect in December. At this stage, working with
            third-party advisors to leverage their expertise should be a key consideration. When the reporting and
            disclosure requirements become mandatory, companies will have to expect that news of their cyber
            incidents will be broadcast far and wide. But the enterprises that begin preparing now for this eventuality
            will be better positioned to safeguard their operations, reputation and financial success when the time
            comes.




















            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          161
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   156   157   158   159   160   161   162   163   164   165   166