There’s no doubt the SEC’s new cybersecurity disclosure rules represent a revolutionary shift and will increase the compliance burden on companies. But, as Jose Seara, CEO of DeNexus, explores, the new rules also present an opportunity for the clever CISO.
Editor’s note: Jose Seara is CEO of DeNexus, a cyber risk quantification and management technology provider.
The SEC’s new cybersecurity guidelines, which went into effect in December, mark a major period of transformation for public companies, as they must not only disclose material cyber incidents within four days of discovery, but they will be compelled to report details about their risk management, strategy and governance policies.
Beyond the obvious changes, these new rules have sparked conversations about the need for cyber risk quantification and management amid heightened risks and debates about the perceived inadequacy of the given timeframe to confirm breaches, comprehend their impact and coordinate timely notifications.
Despite concerns, noncompliance poses significant repercussions to chief information security officers (CISOs) and security teams, courtesy of the SEC, which has already shown its willingness to pursue aggressive actions against organizations and even individuals.
To ensure that these strict regulations and requirements are met, organizations must have a security infrastructure in place to not only mitigate potential risks but also continuously monitor their cyber risk and the potential financial impact to ensure they have the data to satisfy these new disclosure rules.
Implications for CISOs
The implications of noncompliance of SEC mandates have most recently been highlighted by the agency’s case against SolarWinds CISO Timothy Brown, who is facing allegations of fraud and internal control failures, a case that predates the new disclosure rules.
As it continues to play out in the public eye, this case underscores the heightened importance of compliance. If organizations and their leadership teams do not satisfy SEC guidelines, they may face prosecution in both civil and criminal court by federal or state governments, as well as civil liability from investor lawsuits.
CISOs should look at the new mandate as an opportunity to reinforce their business case for cybersecurity and risk mitigation. From detailed asset inventories and cybersecurity maturity assessments to cyber risk quantification for proper and efficient risk management, including the evaluation of risk transfer, CISOs can take advantage of these new requirements to elevate projects and processes that contribute to an organization’s understanding and proactive management of the portfolio of cyber exposures they are facing.
Companies that proactively engage in a systematic review of their cybersecurity and cyber risk management programs will not only comply more easily with the new regulations but will also almost immediately strengthen the cyber resilience of their business.
As New SEC Rules Go Into Effect, Cybersecurity Moves to Top of Agenda for Risk Leaders & Boards
36% of risk managers say cybersecurity is top concern
Read moreDetailsCyber risk translation
To prevent the extensive damage of potential cyber breaches and other incidents, the conversation about potential cyber risk needs to extend beyond CISOs. Other C-suite executives must be included in the discussion to ensure that organizational leaders are fully aware of the extent of these risks and their implications beyond immediate security-related concerns.
C-suite leaders aside from CISOs should also be encouraged to participate in risk mitigation and pull their own teams into certain security efforts. To achieve this in an effective way, there is a need for common language among CISOs, chief financial officers and boards.
To communicate risks in a way all business leaders (not just technology-savvy CISOs) can clearly understand, it is often necessary to translate cyber threats into tangible implications and consequences that key stakeholders can fully relate to and understand without a security background. An example of this could be translating the impact of a potential cyber risk into monetary value or a potential lawsuit, as opposed to approaching it solely from a security perspective. This appeals to the specific knowledge and priorities of other business leaders and board members who may not be familiar with cybersecurity terms, ensuring everyone is on the same page about the magnitude and scope of damage associated not only with security incidents but also with security-related noncompliance.