bySteve Durbin
Contributing writer
Opinion
Aug 01, 20245 mins
CSO and CISOFinancial Services IndustryIT Leadership
SEC risk management and disclosure rules can be overwhelming and fraught with difficulties. Steve Durbin, chief executive of the Information Security Forum, offers advice for coping with the hassles.
Rules implemented in 2023 by the US Securities and Exchange Commission (SEC) regarding risk management, strategy, governance, and incident disclosure have raised important considerations for security leaders of public companies ranging from grasping the rules themselves to managing yet another set of regulations in an increasingly evolving and diverse cybersecurity landscape.
The new SEC regulation is divided into three main components. The first component has received the most press attention — the obligation to report “material” cybersecurity incidents to the SEC within four business days of discovery.
It’s worth noting that the four-day timeframe for incident disclosure does not begin at the moment of discovery. The SEC recognizes that businesses will need some time to investigate and evaluate the incident.
However, the regulators will eventually expect that a public company will possess sufficient internal information to determine whether the incident caused significant risk to the entity and its shareholders. If the incident is deemed material, then the organization must report it (via Form 8-K) within four days of such determination.
Annual reports now need to include disclosures too
The second and third components relate to annual disclosures of risk management strategies and governance practices. Public companies are now required to disclose in their annual reports ( Form 10-K):
- Processes for assessing, identifying, and managing cybersecurity threats.
- Whether any risks or previous cybersecurity incidents had materially affected the company’s business strategy, financial conditions and business operations or are likely to affect them.
- The board’s oversight of cybersecurity risks; the board’s prior experience and expertise with cybersecurity; the committees responsible for overseeing cybersecurity risks; the processes and practices by which the board is informed of cybersecurity risks.
The above disclosures must be prepared in sufficient detail to enable investors to understand the company’s risk profile and to facilitate informed investment decision-making.
5 recommendations for organizations seeking to attain SEC compliance
1. Leverage an established cybersecurity framework
Governance frameworks such as the SOGP (standards of good practice for information security), the NIST SP 800-53B, or the ISO/IEC 27002:2022, will become the bedrock for risk management and a sound security governance strategy.
Frameworks can serve as a foundation for identifying and mapping out various risks, documenting controls, procedures and security gaps, determining risk exposure and tolerance levels as well as painting an overall picture of the organization’s cybersecurity posture and resilience against material threats.
2. Adopt a good risk-management process
A comprehensive, well-documented risk management process is critical to determining the material impact of a breach, containing and mitigating it, and adhering to SEC reporting requirements (S-K Item 106).
Each identified risk must be assessed and monitored on attributes such as risk description, monetary impact, threat landscape, and control effectiveness so that appropriate mitigations can be scoped out based on the risk certainty and priority. In cases where organizations lack a streamlined risk management process, standardized tools such as the Information Risk Assessment Methodology 2 (IRAM2) will help immensely.
3. Don’t Ignore Supply Chain Risks
The SEC rules state that the materiality of a security incident does not depend on “where the relevant electronic systems reside or who owns them.” They also make it clear by stating that “we are not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor are we providing a safe harbor for information disclosed about third-party systems.”
This means that organizations will need agreements in place beforehand so that when a third-party incident occurs, businesses receive the information they need to fulfill their own compliance obligations.
4. Test your incident response plans thoroughly
Organizations must have designated people and formal processes in place to determine the “material impact” of an incident and to communicate with relevant authorities by the stipulated deadlines.
Testing and preparedness of incident response plans will be crucial. Sometimes when groups are brought together from a diverse set (legal, IT, finance, third parties, etc.), but are not accustomed to working together, then this can cause unwarranted confusion during mitigation efforts.
5. Return to fundamentals
In cybersecurity, it’s always wise to sort out the basics. Understand what constitutes a material breach. If you’re a public company, there should already be legal and business teams that are fully versed in the concept of materiality and have experience applying it in other contexts. Learn from them. Evaluate any existing oversight structures at the board and management level and determine whether any improvements are needed. For example, providing ample space for security discussion on the board agenda or appointing a dedicated cybersecurity committee.
Conduct regular technology control assessments to learn what safeguards are working and what’s not working. Establish a clear incident response plan and chain of command so that teams can coordinate and collaborate without having to scramble at the eleventh hour. Have proper disaster recovery tools and plans in place to reduce the impact.
The SEC rules may seem overwhelming at first glance however, organizations can effectively manage them by utilizing established frameworks, adopting risk management protocols, and prioritizing incident response and disaster recovery measures. Not only will this mindset demonstrate commitment to compliance, but it will also improve cybersecurity resilience, market value, and brand reputation.
Related content
- featureCountdown to DORA: How CISOs can prepare for EU's Digital Operational Resilience Act The EU regulation meant to strengthen financial organizations' resilience to cyberattacks, will apply starting 17 January 2025, and it’s CISOs’ responsibility to make sure their organizations are compliant with the new regulation.By Andrada FiscuteanJul 24, 202411 minsRegulationFinancial Services IndustryRisk Management
- news analysisEU resilience regulation DORA has financial CISOs waiting for answers In January 2025, a new EU regulation targeting operational resilience will enter into force impacting cyber security in the financial sector, and others as well. But many uncertainties remain. By Karin LindströmMay 23, 20245 minsRegulationFinancial Services IndustryIncident Response
- news analysisSEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers.By Evan SchumanMay 17, 20245 minsData BreachFinancial Services IndustryData Privacy
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
