Navigating the Cybersecurity Landscape: A Roadmap for CISOs and Boards in the Age of Transparency
The new Security and Exchange Commission (#SEC) #cybersecurity #regulation has significantly impacted publicly traded corporations, introducing a new era of cyber transparency. The regulation's main focus is to improve #cyberincident reporting, risk management, and governance for public companies. Regulations tend to follow technological innovation with quite a delay and this proposal for publicly traded companies is no different. At the same time, it reflects the shift (together with the US National Cybersecurity Strategy) for more transparency and responsibility in safeguarding critical IT/OT systems. But what could this mean to #Europe and the global cybersecurity landscape?
I. Targeted Organizations
The SEC regulation primarily targets publicly traded corporations in the United States, which shall comply with a new set of requirements related to cybersecurity risk management and incident disclosure. These companies are subject to mandatory reporting of material cyber incidents and more extensive disclosure of their cyber risk management and governance practices. As a result, corporate boards and #CISOs must adapt their strategies and policies to comply with the new rules, addressing potential vulnerabilities and ensuring adequate cyber risk management.
SEC’s proposed disclosure requirements in brief:
SEC foresees that the overall cyber (and business) risk management posture of any organization should become more structured by the proposed regulation, as cyber readiness and cyber attitude of the organizations should be reflected in the disclosures, hence, it has to become a topic for board discussions. Also, CISOs should be enabled to ramp up their requirements, capabilities, and capacities to meet reporting requirements along with actually achieving a better cybersecurity posture overall.
II. Challenges for Organizations
A. Reporting Material Cyber Incidents
One of the significant challenges for targeted organizations is determining what constitutes a "material" cyber incident. The SEC requires companies to report these incidents within four business days on a Form 8-K. However, the term "material" is open to interpretation, and companies may struggle to decide when an incident merits reporting. This challenge is further complicated by the fact that the SEC may use the reported information for enforcement actions, causing organizations to be cautious in their disclosures.
B. Disclosing Cyber Risk Management and Governance Practices
Another challenge for organizations is the requirement to disclose their cyber risk management and governance practices in annual reports (10-Ks) and quarterly reports (10-Qs). Companies may be hesitant to reveal too much information about their practices, fearing that doing so could provide a roadmap for potential attackers. Moreover, some organizations may not have established robust governance structures, making it difficult for them to meet the SEC's expectations for disclosure.
C. Ensuring Board Expertise and Oversight
The SEC regulation also places new responsibilities on corporate boards, requiring them to have at least one director with cybersecurity expertise(!). Finding and retaining qualified individuals may be challenging, given the high demand for cybersecurity professionals (especially those with business experience). Furthermore, the entire board must be engaged in overseeing cybersecurity risk management, which can be difficult for directors without extensive technical backgrounds.
D. Compliance and Resource Allocation
Complying with the new regulation may require significant investments in resources, including technology, personnel, and training. Organizations will need to allocate resources strategically to ensure they can meet the regulation's requirements while maintaining operational efficiency.
E. Know what you don’t know
A crucial aspect of complying with the SEC regulation and improving cybersecurity posture is for companies to acknowledge and address their knowledge gaps. The "know what you don't know" approach involves identifying areas where the organization may lack expertise, understanding, or visibility into its cybersecurity landscape. For any management board to achieve the state of “knowing what they don’t know” cannot be achieved purely by looking at compliance requirements.
III. Shortcomings of the Regulation
While the SEC's proposed cybersecurity regulations aim to improve transparency and risk management, they may have some shortcomings when it comes to implementation:
A. For Organizations
As previously mentioned, the SEC regulation leaves some room for interpretation regarding what constitutes a "material" cyber incident. This ambiguity can make it difficult for organizations to determine when they are required to report an incident, potentially leading to under-reporting or over-reporting.
2. Inadvertent disclosure of sensitive information
The regulation's focus on transparency and disclosure may inadvertently create a roadmap for cyber criminals, who can exploit the detailed information about a company's cybersecurity practices to plan targeted attacks. This risk could lead to companies hesitating to be fully transparent about their cyber risk management strategies, even if they are required to do so.
3.????Compliance burden
The proposed regulations may impose significant compliance and reporting burdens on public companies, particularly small- and medium-sized enterprises with limited resources. The costs of compliance, including the need to invest in additional cybersecurity measures, personnel, and reporting infrastructure, could strain some businesses or just simply make them invest in solutions not yielding any real cyber benefit. (see next point)
4.????Risk of "box-ticking" mentality
Companies may focus on meeting the letter of the regulation, rather than genuinely improving their cybersecurity posture. This could result in a compliance-oriented approach that emphasizes documentation and reporting over substantive improvements in cybersecurity practices.
5.????Limited applicability
The proposed regulations target public companies listed on U.S. stock exchanges, leaving private companies and other organizations outside the scope of these rules. This limited applicability may hinder the overall impact of the regulations on improving cybersecurity across all sectors and industries.
6.????Potential for regulatory fragmentation
If other countries and regions adopt different cybersecurity regulations, businesses operating in multiple jurisdictions may face a complex and fragmented regulatory landscape. This could make compliance more challenging and increase the cost and complexity of managing cybersecurity risks globally.
B. For Regulators
From a regulator's perspective, the shortcomings of the proposed cybersecurity regulations could include:
1. Enforcement challenges
The SEC(and any regulator) may face challenges in enforcing the new regulation, given the sheer number of publicly traded corporations and the complex nature of cybersecurity. Moreover, determining whether a company has adequately complied with the requirements may be difficult due to the technical nature of the subject matter.
2.????Limited scope
As the SEC's jurisdiction primarily covers public companies listed on U.S. stock exchanges, the regulations will not address the broader issue of cybersecurity across private companies and other organizations. This limitation may hinder the overall effectiveness of the regulations in improving cybersecurity practices at a national or global level.
3.????Balancing transparency and security
Regulators will need to strike a balance between promoting transparency and safeguarding sensitive information. Encouraging companies to disclose more information about their cybersecurity practices may inadvertently lead to the exposure of vulnerabilities that could be exploited by threat actors.
4.?????Risk of regulatory fragmentation
As for organizations regulatory fragmentation can become a challenge for the SEC as well, if other countries and regions adopt different approaches to cybersecurity governance. This fragmentation could make it more difficult for regulators to collaborate and share information, potentially undermining efforts to combat global cyber threats.
领英推荐
5.????Evolving threat landscape
Cybersecurity threats are constantly changing, and regulators may struggle to keep pace with new and emerging risks. The regulations may need to be updated frequently to remain relevant and effective, which could prove challenging for both regulators and the companies they oversee.
6.????Enshrine cyber as a cost factor instead of a business enabler
The new regulations could have unintended consequences, such as driving companies to focus on compliance at the expense of substantive improvements to their cybersecurity posture. Regulators will need to monitor the impact of the rules and be prepared to adapt them as necessary to ensure they achieve their intended objectives.
IV. Implications for EU Companies
EU companies with a presence in the United States or those listed on US stock exchanges must comply with both the SEC regulation and EU #legislation. This dual compliance requirement may create challenges for EU companies, as they must navigate the complexities of both regulatory frameworks and allocate resources accordingly. Additionally, EU companies may face competitive disadvantages if the SEC regulation places additional burdens on them compared to their US counterparts. Also, as the US government and US tech are leading the global cyber landscape, any US regulation might easily become de facto standard with smaller-bigger adjustments.
The implications of these new requirements can extend to European companies and markets in several ways:
1.????European companies listed on U.S. stock exchanges
European companies that are listed on U.S. stock exchanges, or those with American Depositary Receipts (ADRs), may be directly subject to the SEC's proposed cybersecurity regulations. These companies will need to comply with the new reporting and disclosure requirements just like their U.S. counterparts and thus should start preparing to meet these new obligations.
2.????Influence on European regulators
The SEC's proposal may influence European regulatory bodies, such as the European Securities and Markets Authority (ESMA) and national regulators within the European Union, to introduce similar rules and regulations for companies listed on European stock exchanges. If European regulators follow suit, companies within the EU may face similar disclosure requirements related to cybersecurity risk management, strategy, governance, and incident reporting.
3.????Market expectations and investor demands
The SEC's proposed regulations may lead to increased market expectations and investor demands for transparency around cybersecurity practices, even for companies not directly subject to the regulations. European companies may feel pressure to voluntarily adopt similar disclosure practices to meet investor expectations and maintain their competitive position in the global market.
4.????Global supply chain and third-party risk management
European companies that collaborate with U.S. public companies or are part of their supply chain may be indirectly affected by the proposed regulations. U.S. companies subject to the new requirements may demand more transparency and stronger cybersecurity practices from their European partners and suppliers, as part of their efforts to improve their own cyber risk management and reporting.
5.????Benchmarking and best practices
As U.S. companies begin to adopt the SEC's proposed cybersecurity regulations, European companies may choose to use these new requirements as a benchmark for their own cybersecurity practices. Implementing similar policies and procedures could help European companies improve their cyber risk management and demonstrate their commitment to strong cybersecurity practices to investors, customers, and other stakeholders.
VI. How to act?
To meet the possible requirements of the upcoming SEC cybersecurity rules, EU and US companies should consider taking the following actions:
1.????Conduct a thorough cybersecurity risk assessment
Companies should identify their critical assets, potential vulnerabilities, and possible threats. This assessment will help them understand their current cybersecurity posture and identify areas that need improvement.
2.????Develop and validate a comprehensive cybersecurity risk management program
Based on the risk assessment, companies should develop a strategic plan to address identified risks and strengthen their cybersecurity defenses. This plan should include policies, procedures, and controls to protect sensitive data and prevent cyberattacks. The plans should be validated regularly by testing them through cyber drills, #cyberexercises, simulations, etc.
3.????Review and update incident response plans
Companies should have a well-defined and updated incident response plan in place to ensure timely detection, reporting, and remediation of cybersecurity incidents. Regularly reviewing and testing these plans is crucial for their effectiveness.
4.????Enhance board-level cyber expertise
Companies should ensure that their boards have members with cybersecurity expertise, as required by the proposed SEC rules. This may involve appointing new directors with relevant experience or providing existing board members with additional training and resources.
5.????Improve cybersecurity reporting and disclosure
Companies should establish clear protocols for reporting cyber incidents within the specified time frames and for disclosing relevant information about their risk management and governance strategies in compliance with the new SEC requirements.
6.????Strengthen third-party and supply chain risk management
Companies should assess the cybersecurity risks posed by their third-party and supply chain partners, such as vendors and suppliers, and implement appropriate controls to mitigate these risks.
7.????Monitor regulatory developments
Companies should stay informed about changes in cybersecurity regulations and guidelines, both in the US and the EU, to ensure compliance with all applicable requirements.
8.????Foster a culture of cybersecurity awareness
Companies should prioritize employee training and awareness programs to promote a strong cybersecurity culture throughout the organization. Employees should be educated on cybersecurity best practices, common threats, and how to report potential incidents.
9.????Stay proactive
Cybersecurity is not an end result of an activity, it is a constant process of actions. Moreover, it is a state of mind, just like staying business and market aware. ?
10.?Turn cybersecurity cost into benefit
By improving communication strategies and investing in education for CISOs and boards, organizations can turn cybersecurity costs into benefits. By understanding the value of safe and secure business operations and faster recovery from any cyber incident through better cybersecurity posture. Cyber should not be a standalone cost or approach, it is embedded into everything, those who master this will thrive in the age of cyber-digital transformation.
Conclusion
There is no silver bullet when it comes to new regulations and actions required to meet their requirements. However, the direction and message it sends to the market is clear: cyber as a domain has matured to be part of the board discussions and not only does the regulator want to monitor the cyber resiliency of publicly traded organisations, but so do more and more investors and shareholders. The new SEC cybersecurity regulation presents both challenges and opportunities for the targeted organizations. Yet, by understanding the regulation's requirements, addressing its shortcomings, organizations can develop a comprehensive strategy to comply with the regulation while also enhancing their cybersecurity posture. By adopting a proactive approach and investing in appropriate cyber resilience development, companies can not only meet regulatory requirements but also turn cybersecurity from a cost into a strategic advantage.