New SEC regulations are likely to change the cybersecurity landscape by encouraging more widespread adoption of best practices.
Regulators have taken note that businesses are too often fighting a losing battle against foreign and domestic cyber criminality. By introducing stringent cybersecurity standards, regulators are seeking to ensure that companies treat cyberattacks as increasingly systemic threats.
This December 18 marks the compliance deadline for companies to adhere to the U.S. Securities and Exchange Commission’s (SEC) historic cyber incident disclosure rules. All publicly listed companies, including foreign issuers, must be prepared to make timely determinations about whether an attack under way may have a “material” effect on their enterprise.
The rule, which came into effect in September, will now require that companies make materiality determinations “without unreasonable delay,” which means that disclosure teams must get involved in cyber incident response activities much earlier than before. Companies will then have four days to inform core stakeholders, such as investors, customers, and regulators. In addition, publicly listed companies will also need to discuss in greater detail the kinds of cybersecurity threats for which they have prepared, particularly the kind of severe ones that can have material impacts on the company, and to share the kinds of approaches they have in place to minimize the effects of such events on the company’s business strategy, operations, or financial conditions.
The new SEC regulations are designed to better inform investors about an organization’s cyber defensive capabilities and provide prompt reporting of material cybersecurity incidents. It is hoped that intensifying regulatory pressure on organizations will enhance their communication with customers and investors on the safety of their data and the measures they are taking to defend themselves.
Currently, 85 percent of data breaches never reach the public domain and are not disclosed by companies because they fear damage to their reputations and a fall in their share prices. At a time of immense upheaval in both the cyber threat and regulatory landscape, particularly with the prevalence of new generative AI tools in the hands of attackers, companies need to improve their processes and practices to protect vulnerable and sensitive data and systems.
The effects here for cyber practices from the new SEC regulations could be similar to the positive effects that the Sarbanes-Oxley (SOX) regulations had on financial reporting two decades ago. Most companies have long known what to do. As was the case with SOX, companies will likely help to foster greater adoption of best practices for withstanding severe cyber events more broadly across public reporting companies.
Cybercrime is predicted to cost the world $10.5 trillion annually by 2025, but the impact of a cyberattack extends far beyond its economic costs. It also degrades trust and damages the reputations of public and private service providers.
With the new SEC rule, a light is now being shone on the importance of securing critical infrastructure to combat heightened threats. Companies need to take more proactive steps not only to protect their critical infrastructure but also to practice defending it under severe circumstances, all the way through to the rapid and full restoration of systems after an attack has been contained.
Best-practice companies have been investing in advanced, military-grade cyber defense strategies such as adopting a zero-trust approach and testing their people, processes, and technology in simulated cyber range environments before an attack occurs.
As cyber threats and attacks are becoming more common, sophisticated, and damaging, developing a company’s cyber defense capability and stress testing capacity is key to mitigating risk. It is what CEOs, boards, audit committees, investors, regulators, and insurers most want to see.
The North Atlantic Treaty Organization’s cyber defense teams and their counterparts in the U.S. have long prepared to defend against nation-state attacks by training in advanced cyber ranges that replicate the real production information technology and operational technology environments that they have to defend every day.
Security teams in the private sector can be equipped with similar defensive tools, combatting cyber risks using the same tactics, techniques, and procedures implemented in high-profile attacks. Already, many leading publicly listed companies have followed suit with those best practices. Now, a broad cross section of listed companies will need to take on the same best practice of military-grade protections. These best-practice environments enable companies to explore and make sure their defenses are robust around key specialty systems, such as the billing system that took down the Colonial Pipeline and the order entry and other systems that have proven to be critical in the recent attacks on Clorox.
This ability for companies to rehearse for the unfortunate eventuality that they will be hit by a significant cyber event is also helping companies to integrate their financial and disclosure teams right into their incident processes. Incorporating the early stages of materiality determinations in parallel with the work of incident response teams should help companies make their determinations “without unreasonable delay.”
Similar early integration of legal teams is also helping best-practice companies have the right triggers so that they can better use the national security exception provided for in the new SEC regulations. This is helping them not only to bring in national cyber teams earlier but also, under certain circumstances, to have more than the standard four days allotted to make disclosures.
Companies have long thought that traditional table-top exercises will be sufficient to prepare teams to timely and accurately respond to a severe cyberattack, but time and again that has proven not to be the case. Years ago, the U.S. Air Force learned that the chances of survival went up substantially for a pilot who had already successfully flown ten missions, so they created training environments so that their pilots could get that experience under actual severe circumstances before going into actual combat. Cyber Command in the United States did the same thing as they stood up their cyber training exercises in 2010. Best-practice companies do the same. They all want their teams practiced and regularly scored for effectiveness on high fidelity replicas of the actual production systems that they defend, so that their leadership will know that they can be successful on the day that a real and potentially material cyber event occurs.
Ultimately, these companies adopt a model of continuous improvement to sustain performance as new threats emerge. Leadership gains greater confidence that their teams and tools will be able to withstand severe attacks and rapidly restore capabilities. And investors, regulators, and insurers can gain confidence too. Although the material threats posed by nation state-backed groups have awoken many organizations to the systemic risks that attacks against any of our large, publicly traded companies pose, we need to remain vigilant in our war against cyber threat actors.
In the upcoming year, and with the advent of these new SEC cyber regulations, every public company CEO should be thinking about how to prepare their organizations for continuing cyber threats and how to minimize risks. Fortunately, best practices are out there that can be adopted. The new SEC cyber regulations will hasten the pace at which more companies go out there to find and adopt these practices.
