The United States Securities and Exchange Commission (SEC) is wrapping up its newly formed regulations that mandate greater transparency and cyber proficiency from boards of directors of companies around the world. These regulations are expected to be finalized this month, and will help create a more secure business environment and online experiences for organizations and their consumers.
However, according to recent research from the CAP group, 90% of Fortune 500 companies are unprepared for upcoming SEC cyber regulations going into effect soon. Currently, less than half of Fortune 100 companies have a sitting board member with the level of cybersecurity knowledge that is now required by regulators.
This comes after increasing cyberattacks and threats towards organizations of all sizes and across all industries. Companies without tech-savvy executives are not only more likely to suffer a serious data breach, but they are also less likely to have the tools and resources needed to recover from a serious attack.
The FBI reported over 800,000 complaints of suspected internet crime last year, with losses totaling well over $10.3 billion. To avoid becoming a statistic—and facing non-compliance with SEC regulations—companies need to prepare their board of directors by placing cyber-knowledgeable executives at the head of the table.
New SEC regulations require cybersecurity expertise
It's no secret that cybersecurity is a growing issue across industries as threat actors become savvier. Ransomware, malware, Zero-Day attacks, and more are becoming a serious threat to nearly every industry.
A recent report discovered that the manufacturing sector experienced a 107% increase in ransomware attacks last year, while healthcare systems continue to be one of the most threatened sectors.
Not even government agencies are safe. The IRS eFile website has reportedly come under attack, leading to serious data leaks and an invasion of consumer data privacy. Entire nations have also come under attack as the concept of cyber terror continues to pick up steam.
That is why the SEC is establishing new rules that require at least one executive to hold adequate cybersecurity expertise. According to the SEC, most boards are well-staffed in areas such as finance, operations, and sales, but only 10% have kept pace with cybersecurity needs and trends. To ask the right questions and implement the most effective safeguards, boards need to have a sufficient understanding to interpret crucial security metrics.
Deloitte reports that companies that have outlined a technology strategy that includes cybersecurity proficiency experienced twice as much revenue growth than those that lack a digital strategy.
Holes in the existing disclosure policy
There are several compliance regulations that companies must abide by to protect data privacy. For example, the PCI DSS standards include requirements to develop and maintain secure applications and systems, as well as to track and monitor network access among others. But these stipulations alone are not enough to protect the cyber landscape from impending threats.
Most organizations report cybersecurity incidents with a Form 8-K or other periodic reports. However, there is a wide discrepancy between the number of incidents reported to the SEC using these forms and the number of incidents reported in the media, with media reporting much higher cyber incidents than the SEC.
Part of the reason is a historic lack of specific cybersecurity disclosure guidance for registrants. The nature of incident disclosure varies widely, with companies offering different levels of specificity regarding the scope, impact, cause, and materials affected in their disclosures.
The SEC explains that another key issue with the past disclosure standards is that the most high-profile breaches were typically accompanied by the least amount of relevant information, while breaches with a smaller scope are typically reported in great detail.
These inconsistencies make it impossible to create secure infrastructure to protect company data, clients, and cyberspace as a whole. As a result, the SEC has decided to amend its disclosure standards to meet the needs of modern enterprise security teams and their organizations.
Proposed changes to SEC regulation
The key to preventing fraudulent activity that allows ransomware and malware to be planted on a system is a consistent and proactive approach to enterprise security. The SEC is putting into effect several proposed amendments that require more specific disclosures about a company's security policies.
Here is a brief rundown of the new SEC cybersecurity regulations:
- Registrants will be required to disclose incidents within four business days of their knowledge of a material cybersecurity incident.
- Provide updated disclosures regarding past incidents
- Disclose the level of cybersecurity expertise and knowledge held by its board of directors
- Foreign Private Issuers (FPIs) must report disclosures in the same manner that is required of domestic registrants.
This includes information about the procedures in place to identify and manage cybersecurity risks, the impact of various cybersecurity risks on the organization's business strategy, management and executive roles, and expertise in cybersecurity areas, as well as new guidance for the role that boards of directors play in cybersecurity.
How organizations can prepare for new SEC cybersecurity regulations
CISO of Flagship Credit Acceptance, Bryan Bechard, has been working in cybersecurity for over 20 years. He says that the threat landscape has changed. "Compared to what it was when I started, the field has exploded in breadth of concerns and the depth of knowledge required to secure 'everything.'"
Organizations must work hard to protect their company's financial data and other private information about their customers, sales, and trade secrets. According to recent statistics, one in 10 adults has already been the victim of a cyberattack related to financial fraud. Adequately preparing for the new SEC cybersecurity regulations will be extremely helpful for those that want to continue operating without any compliance issues due to cybersecurity.
So how can companies prepare to protect "everything"? Here are a few tips to get the ball rolling.
Review risk management documentation and incident response plans
Upgrading cybersecurity and risk management procedures is a lengthy process that involves numerous levels of personnel and extensive knowledge of an organization's systems.
Companies should start updating their programs as soon as possible so as not to fall behind when the new SEC rules go into effect, and a careful review to catch any potential existing cyberattacks or incidents of fraud that were not caught previously would be wise as well. Many businesses already are the victim of fraudulent activity more often than they may realize. For instance, studies show that 86% of all chargebacks companies incur are fraudulent. It's also crucial that cybersecurity incident response plans are both put in place and regularly reviewed to meet the changing needs of an evolving regulatory landscape.
Define "material" for your organization
Whether or not a cyber-related incident meets the threshold for materiality according to SEC disclosure rules will play a role in how your organization addresses the incident and its report now and in the future.
Companies need to ensure that their legal teams and senior management define material in the same way to avoid costly compliance issues, as well as keep their cybersecurity policies up to par with the sophisticated attacks that are on the rise.
Educate the board of directors
The board of directors will now play a critical role in managing and implementing cybersecurity policies according to many regulatory standards, including the new SEC cyber rules.
Boards that lack IT knowledge are expected to acquire an adequate amount of knowledge around this issue and develop expertise that enables them to make effective policies for the company. A liaison between enterprise security, cybersecurity managers, and the board of directors is essential, and now required according to the SEC.
The new regulations require companies to maintain cybersecurity practices, disclose their practices publicly, report incidents accurately, and enable senior leadership to effectively oversee these programs. With a renewed focus on cybersecurity and new rules from SEC incoming, enterprise organizations need to clarify the leadership roles of those in charge of security oversight and ensure those positions are filled with professionals that are fit for the job.