In March of 2022, the Securities and Exchange Commission (SEC) proposed amendments to its cybersecurity regulations. The proposed changes would require reporting of cyber incidents and disclosure of cyber mitigation strategies, both leading to stronger relationships between CISOs and board-level decision makers. These proposed changes are a response to the increasingly dangerous negative incentives public companies face when deciding whether to disclose cybersecurity breaches. Withholding information often seems beneficial in the short term, but multiplies the risk for businesses, investors, and consumers in the long term. The new set of proposed rules from the SEC addresses this issue and offers new opportunities for public companies to refocus attention and resources on the cybersecurity.
Public reporting of cybersecurity incidents has varied greatly within past years. Public disclosures are most often delayed, unclear, and incomplete. Given the lack of a uniform reporting standard, each business has largely been left to its own best judgment. This variance, however, is increasingly concerning as cybercrime continues to rise. Without an environment of accurate reporting and cyber risk mitigation strategies, it is difficult for decision makers to establish industry best practices. This lack of collective awareness leads to unnecessary industry-wide risk, which has increased concern among investors and customers alike.
The growing number of high-profile cybersecurity intrusions has caused individuals to inquire more thoroughly into the cybersecurity practices of the businesses and organizations they interact with and invest in. The SEC proposal reflects an understanding of this dilemma and seeks to decrease market volatility by increasing security confidence. While this raises new challenges for business in the short term, it has the potential to lead to a more secure ecosystem in the longer term.
The first proposed rule would require businesses to report all material cybersecurity incidents within four business days of the incident’s discovery. To facilitate this requirement, the SEC is establishing “cybersecurity incidents” as a new reporting category within disclosure forms according to a released fact sheet. Furthermore, while there is question as to the specific meaning of a material cybersecurity incident, the SEC’s proposal also involves the reporting of all incidents that could be deemed material in aggregate, demonstrating the seriousness with which the SEC is approaching this topic.
Second, a new rule would require businesses to disclose the precise methods they are using to identify and manage cybersecurity incidents. According to the SEC, most businesses that disclosed cybersecurity incidents in 2021 did not describe what policies or procedures had been in place to mitigate cybersecurity risk. The new proposed rule would also require business to file recurring and detailed descriptions of their “cybersecurity risk assessment programs.” In addition, the regulation would also require the board of directors to report the extent to which individual board members have cybersecurity-related expertise.
According to Peter Lund, Chief Technology Officer of Industrial Defender, “With this increasing focus on cybersecurity, companies must have policies and procedures in place now to manage cyber risks and report on security incidents. This rule would ensure that CISOs have board-level visibility going forward.” Indeed, the totality of this proposal will require senior leadership in public companies to reprioritize cybersecurity in numerous concrete ways or risk losing investor and consumer confidence.
The new proposals are anticipated to have a significant impact on operational technology and industrial control systems security. Within the longform description of the proposed rules, the SEC lists “degradation, interruption, loss of control, damage to, or loss of operational technology systems” as the second example of an incident that would require disclosure pursuant to the new rule. This is understandable as critical infrastructure companies find themselves increasingly targeted by ransomware attacks and nation-state exploits.
Transitioning to a robust cybersecurity process to meet these heightened reporting requirements may pose challenges for business leaders and security operators. However, solutions exist that can streamline these efforts and transform the SEC’s heightened requirements into an opportunity to optimize organizational cybersecurity practices. Implementing an OT cybersecurity platform will help security teams automate both the collection of security data and compliance reporting to minimize the internal resources required to communicate policies, procedures, and the general cybersecurity posture to regulators.
While different solutions will be best for different organizations, one thing is clear – the importance of cybersecurity will only continue to increase. The recent proposed SEC cybersecurity reporting requirements will not be the last. Organizations need to recognize the importance of cybersecurity protections, particularly when it comes to critical infrastructure and their operational technology systems.