How New SEC Disclosure Regulations Move Beyond the Checkbox
By Dr. James Norrie, Founder
Executive Overview: From Compliance to a Security First Culture
In light of recent changes, there’s a pressing need for organizations to transition from mere compliance to embedding a genuine culture of security. With the regulatory landscape evolving, here are key developments and challenges that corporations need to be aware of:
- SEC’s Regulatory Shift: On September 5, 2023, the SEC introduced new rules requiring public corporations to disclose cybersecurity incidents promptly and provide annual cybersecurity risk management disclosures, marking a significant regulatory change. (8-K Form Sample here)
- Increased Responsibilities: CISOs, CEOs, and Board members will face heightened pressure to apply advanced cyber expertise, model cyber risk, integrate it into overall business risk, and manage and report new cyber risks and mitigating investments under the new SEC guidelines.
- Complex Frameworks: Many companies currently use multiple security frameworks for compliance, but the focus is shifting from mere, ‘check the box’ compliance, to demonstrating the deployment of tactics, techniques, and procedures (TTPs) for comprehensive cybersecurity risk mitigation.
The cybersecurity world changed on September 5, 2023 when the SEC issued new rules affecting public corporations (New SEC Regulation 33-11216-fact-sheet.pdf – sec.gov). These mandate public disclosure of cybersecurity incidents within four business days of determining a material event; and annual disclosure regarding cybersecurity risk management, strategy, and governance. This is an important regulatory shift.
Implications for Corporate Leadership
The new SEC regulations will be more pressure on the CISO, CEO and the Board to apply sophisticated cyber expertise to stochastically model cyber risk; understand cyber as a critical component of overall reportable business risk; and task management to identify, track and clearly report on new cyber risks and how their Board will approve mitigating investments to minimize that risk to acceptable levels.
Existing Security Frameworks and Challenges
To date, many companies are either required to or voluntarily apply one or more security frameworks such as NIST, ISO27001/2, CoBiT, CIS 20, PCI, and others to assess their security program maturity. These overlapping standards can be overwhelming if the organization is simply trying to ‘check the box’ for compliance. That only measures activity as an input rather measuring reduced risk as an outcome.
In our view, this important shift by the SEC to force public companies to not simply report how they manage their cybersecurity program today but instead to prove that enterprise tactics, techniques and procedures (TTP’s) are being deployed to fully mitigate, transfer or accept the remaining residual cybersecurity risk as being within your total business risk tolerances and why that is the case.
Navigating the SEC’s New Regulatory Blueprint
As is often the case when an important regulator like the SEC changes step, many organizations struggle to interpret the practical actions necessary to move into compliance with the new regulatory cadence. Furthermore, we frequently note that regulators move to impose new guidelines often without clear accompanying definitions of what is acceptable to avoid litigation or criminal pursuit as a result of failing to meet these new guidelines. This often creates consternation, frustration and anxiety as Boards and Directors struggle to respond to new responsibilities without concrete next steps to undertake.
To help, instead of offering a summary of the changes in the underlying SEC regulations themselves – information already available and digested by all concerned – we opted to turn our efforts towards early actions a Board of Directors can consider to avoid becoming an early victim of SEC enforcement efforts.
Understanding and Acting on SEC’s Evolving Expectations
While nobody knows for sure what will happen, there is past precedent, common law tradition and critical legal reasoning to credibly apply. They indicate the SEC Enforcement Division will be looking for early egregious breach examples to engage both their civil and criminal enforcement powers to heave clarity into what is expected of a company claiming compliance with these new guidelines. Therefore, our objective is to examine the possible perceived purpose of these new guidelines, focusing on noted cybersecurity gaps the SEC is signaling it intends as the scope of this enhanced regulatory oversight. Let’s consider actions under the new guidelines by grouping them into three distinct categories which highlight what we feel are the most obvious and compelling focus areas under the new guidelines:
- Timely Disclosure of Material Cybersecurity Incidents (Form 8-K)
- Annual Disclosure or Risk Management, Strategy & Governance (Form 10-K)
- Managing Risk Beyond Your Existing Perimeter and Tactical Edge
For each one, to reduce the risk of becoming an early litigant under these new guidelines, we offer one or more concrete steps an enterprise can take within the next 90 days to get ahead of looming reporting deadlines and put forward evidence of solid governance action to meet the spirit of these guidelines.
cyberconIQ® offers the Human Defense Platform and our cybermetrIQs™ dashboard, both of which can help pinpoint and reduce cybersecurity risk across the enterprise and measures the risk-adjusted ROI of your cyber investments. Our focus is to help any business to move ‘beyond the checkbox’ by embedding a security first culture that minimizes risk and maximizes compliance under these new rules. Connect with us for a comprehensive, human-centric cybersecurity transformation!
To read the implications and advice for each of these focus areas, download the full “How New SEC Disclosure Regulations Move Beyond the Checkbox” White Paper Here.
Learn more about how our patented approach reduces human-factor cyber risk and helps your organization with compliance requirements here.