Whose side is the U.S. Securities and Exchange Commission (SEC) on anyway?
The SEC is squarely on the side of the investors – and Rule 106 was adopted to protect those parties from cybersecurity ‘surprises’ that could impact the stability and financial viability of the publicly traded companies which they invest. With Rule 106 and the new Form 8-K 1.05, the SEC wants to eliminate the excuses organizations have used to bury cyberattacks and to mandate cybersecurity preparedness and incident disclosure.
Who Owns Cyber Preparedness?
The SEC wants more transparency, leadership accountability, and proof of cybersecurity preparedness from publicly traded companies. Given the tight timeline of the new rules, corporate leaders may have to scramble to fulfill their new cybersecurity preparedness obligations - and get comfortable with acting on recommendations from their CISO and security teams.
The C-suite is accountable to the Board, stockholders, and its employees to ensure the company is profitable – and is therefore responsible for cyber preparedness that will protect the whole business – from IT assets and data to network fidelity to access management, incident response, and remediation.
You may think that the SEC is asking too much, too quickly, and you are doing fine as you are. You may feel the rules are onerous and that you are not responsible for taking on the risk of your third-party vendors.
But few things are more damaging to your business than a successful cybersecurity attack.
Who owns an organization's risk? Risk management is a team sport – led by the CISO, CFO, CEO, and security and compliance departments. The risk may be obvious, but the solutions are not.
If executives changed their perspective, they could use these new rules as an opportunity to align their business and cybersecurity strategies to build trust and confidence in investors. Risk management is an investment strategy – investing in the right IT solutions lets you better manage risk and respond quickly to threats.
No one can deny that cybersecurity is getting more complicated with more tools, AI integration, hybrid workforces, sophisticated phishing attacks, zero-day exploitation, and identity theft. However, businesses are making these threats worse because they are less committed to tool integration, cyber hygiene, proper configuration, training programs, and actionable monitoring.
Often, partnering with a Solutions Provider to conduct a Security and Infrastructure Posture Assessment (SIPA) will uncover any gaps in your IT environment that will help align stakeholders to focus on long-term strategy, business continuity, and the prioritization of remediating vulnerabilities. A SIPA will uncover your gaps and give you a roadmap to security maturity.
The SEC wants to see how organizations deploy cybersecurity policies and processes to identify, assess, contain, and remediate incidents. They are interested in protecting investors from cybersecurity gaps by requiring reports that ensure an organization has policies and processes around cybersecurity, risk management, strategy, and governance.
Investors and consumers have long expected large, publicly traded companies to have plans for crisis management, disaster recovery, defined roles and responsibilities, communication plans, and risk management. Because Murphy's Law plagues processes, plans, and best intentions, it is a good idea to plan for the worst-case scenario to protect your organization.
However, the reality of large-scale cyber disasters (MOVEit, T-Mobile, Yum! Brands) has spurred consumer distrust and sparked public interest in what organizations are doing to protect the consumer. Anyone can dig into the SEC filings of publicly traded companies in EDGAR, and soon enough, filing from the new Rule 106 will be found there, too.
An excellent way to defend your organization against Murphy's Law is to run tabletop exercises to practice crisis response and test your decision-making skills. With practice and regular reviews of your business continuity plan, you can:
- Make your response and remediation processes more efficient
- Identify roles and responsibilities for all parties
- Set up a communication tree
- understand third-party dependencies
- Get feedback from various departments
- Find appropriate escalation and de-escalation procedures that work for your teams
- document what worked and what didn't work
- Review controls and procedures
- Find and fix flaws before the crisis
The SEC doesn’t need you to tell them what tools, software brands, or checklists you are using – they want to make sure corporations are able to understand their unique business risks, close vulnerability gaps, and respond properly to threats and attacks.
The SEC also wants organizations to harden themselves against system failures, data leaks, and cyberattacks by aligning their security strategy with national NIST or ISO standards. When investors are confident that organizations are held to the same cybersecurity standards and consistently include cyber preparedness in required annual reporting, they can better manage financial risk.
Cybersecurity risk is woven into whole-business risk, and the SEC rules require the Board and C-Suite to oversee risk and manage evolving threats to improve their cyber resilience.
Invest in Cyber Resilience
TBC is a Solutions Provider headquartered in Scottsdale, Arizona with over 27 years of experience as a managed services and managed security services provider. We can assess your operational processes and IT environmental health to identify vulnerabilities, security gaps, material risks, and endpoint coverage. TBC’s security architects and engineers can help you identify any previous incidents that may be of material importance to your current environment to comply with the new Rule 106.
As a SOC 2 Type 2 compliant Solutions Provider, TBC is well positioned to help you address the new requirements of Rule 106 by aligning your cybersecurity strategy with your risk tolerance, offering best practice recommendations under the NIST framework, and running discovery on your environment to understand your security gaps.