The SEC’s new cybersecurity rules represent a significant evolution in the regulatory landscape.
Key takeaways
Organizations must disclose details of material incidents, cyber risk management, strategy and governance.
Organizations should focus on taking a proactive strategy to the new SEC cyber guidelines.
The world around us is becoming increasingly digital and interconnected, with cybersecurity an even more critical concern amid an ever-increasing number of large-scale compromises. The lack of timely disclosure has warranted a change in divulging information to shareholders. In July, the U.S. Securities and Exchange Commission (SEC) released final cybersecurity rules requiring public companies to disclose details of material incidents, as well as details of cybersecurity risk management, strategy and governance. As companies grapple with these new mandates, they're confronted with a profound realization: cybersecurity is no longer a checkbox for compliance but an imperative that affects their entire organization.
The SEC's move to extend its cybersecurity requirements signifies a pivotal evolution in the regulatory landscape. It demands proactive measures, strategic planning, a holistic approach to safeguarding data and operations and a shift from an approach emphasizing regulatory environments versus the broader enterprise. In this article, we'll delve into the expansive scope of the SEC cybersecurity requirements, exploring how they transcend the control environment over financial reporting and permeate every facet of an organization. We'll also provide actionable insights and steps companies should consider to meet regulatory obligations and fortify their cybersecurity posture, enhancing their overall resilience to cyberthreats.
Current state
Regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley Act (SOX), etc., have dictated how organizations focus their cybersecurity time and resources. These requirements drive how budgets and, subsequently, efforts are directed. However, we found that while organizations typically have effective controls and governance in these areas, things weren’t as good outside these environments. In many cases, assets are missing from the central inventory. Key controls like endpoint protection, logging and monitoring, vulnerability and patch management, and identity and access management are not deployed. These vulnerabilities could open an organization up to a greater risk of needing to disclose an incident that cascades from a reputational impact perspective.
For companies, resources and time are finite commodities. Companies have always prioritized where they focus their energy and drove budgets based on their unique priorities. As new regulations demand an enterprise-wide cybersecurity program, it’s unrealistic to fully implement security controls for every possible cyber risk an organization faces. As such, with proper resource alignment based on risk identification, organizations can apply the prioritization principles to drive the programs focused on compliance requirements to develop an effective approach to the new regulatory demands.
Recommendations
Your organization has multiple avenues for developing a proactive strategy toward the new SEC cybersecurity guidelines. These include:
Make enterprise-wide organizational changes necessary to control cybersecurity, educational changes to develop a standard contextual “system” understanding among the board and risk experts, and cultural changes to imprint the importance of shared responsibility for cybersecurity upon your enterprise.
Inventory the assets in your environment. You must ensure your program considers a complete list of your assets. We often find that asset inventory and management are difficult for a majority of our clients. You need to seek tools and have a comprehensive process to validate you have a complete picture.
Leverage a single framework of controls. Your organization can use several existing frameworks from sources like the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) to encompass relevant requirements into one unified control structure.
Assess and monitor the controls. To maintain the program, you need to ensure your controls are effective and stay effective for the long term. Develop a compliance approach for those controls, including automation and tools like enterprise governance, risk and compliance solutions to validate that your organization is following the rules effectively and protecting your environment.
Apply that control framework to your environment in a risk-based manner. Your entire organization still won’t need to be secured in the same manner as regulated environments. However, you will still need key controls such as patch/vulnerability management, privileged access management, multifactor authentication, data protection and incident monitoring/response. While the SEC requirements have focused on governance, monitoring and response, you still need to ensure you protect your organization beyond just meeting the minimum standards defined by the requirements.
Applying controls in a risk-based manner can be difficult if your organization is running in a flat environment. By using cloud-based services, microsegmentation, etc., organizations can realize the effectiveness and cost-controlling measures of risk-based security.
By following these strategic steps, your organization will make strides in meeting the SEC's cybersecurity requirements and also build a robust cybersecurity foundation that safeguards your operations, data and reputation. In a rapidly evolving digital landscape, these actions are vital to ensure long-term resilience against cyberthreats.
RSM contributors
Related SEC enforcement and guidance insights
Llive webcast
Do you know what are your internal control weaknesses are?
Join RSM for a webcast on best practices for effective remediation of material weaknesses and significant deficiencies in financial reporting.
