Allegedly, the wrath of the U.S. Securities and Exchange Commission (SEC) was triggered by the large number of organizations that hid ransomware attacks and data breaches from the SEC, paid ransoms without federal notification, buried cyber risk from investors, and let vulnerabilities remain long after discovery. Allegedly.
The SEC’s new Cybersecurity and Risk Management rules become effective on September 5, 2023, and are intended to curb non-disclosure. All publicly traded companies must comply with these new rules beginning in 2024.
Strategy Before Action
A big part of the new Rule 106 speaks to the accountability of the Executive leadership and the Board of Directors in preparing and deploying cybersecurity strategies for business risk management. Luckily, the proposed requirement to disclose the Board's cybersecurity expertise did not make it into the final rule.
It's no secret that IT is a core component of the whole business – from data collection and communications to productivity and profitability – and it must be protected.
Executives understand that IT is essential, but the SEC reminds us that a high-functioning and protected IT environment is critical to a healthy business, satisfied investors, and happy customers. The SEC's responsibility is to protect investors. To that end, it is delegating the responsibility of building consumer confidence and trust in the security process to business owners.
Security Posture Assessment
Take ownership of your security posture. Begin by knowing where you stand right now - to create policies and a roadmap to bring you to security maturity. Now is a great time to schedule a Security and Infrastructure Posture Assessment (SIPA) to discover the security status of your network, infrastructure, data, and users to have a detailed picture of your environment. Knowledge is power, and knowing how, when, and where to focus your resources to secure your business is a powerful way to come into compliance with the new SEC requirements.
Look at your existing vulnerabilities and understand how they could lead to big security gaps.
- Are you using previously breached software or services (Solar Winds, MOVEit, Microsoft Exchange)?
- Do you have a patching schedule, or do you save it until you “have time”?
- Are you 100% confident in your configurations?
- Do you regularly monitor your apps and IT environment?
- Have you already suffered from a cybersecurity attack? Know that you are 67% more likely to be hit again.
Prepare for Post-Incident Disclosure
Do you have a business continuity plan? Have you collaborated with your security teams about the new rules? Are you ready to comply?
If you don't have the time, ability, monitoring precision, or resources available to comply with the 4-day disclosure timeframe, you may need the support of a Solutions Provider. Find one that provides a full-service cybersecurity solution like Extended Threat Detection and Response (xTDR), a 24/7 Security Operations Center (SOC), is SOC2 Type 2 compliant, and has deep experience in incident isolation to reduce the blast radius, targeted response, and data backup and disaster recovery, and remediation. A Solutions Provider can give you the data you need – the description of "the material aspects of the incident's nature, scope, and timing" - that you must include on the reports to the SEC.
Executives and security leaders within the organization must reach a consensus about what constitutes "material" because the organization must disclose any material incident to the SEC within four business days. The rule does not mean four days after the incident but four days after determining that the incident is of material consequence to the organization.
Take the time now to define what kind of security incidents could be of "material" importance to investors. Prepare your list before you fall victim to an attack, so you don't waste valuable time during a crisis.
- Should you report unauthorized access to your network or email systems?
- Does the size of a data breach matter? How many lost records would constitute material?
- Is a cybersecurity ‘threat’ of material consequence? Or just incidents that result in disruptions of services or operations?
- Will the impact reach investors and customers?
These (and more!) questions must be answered to prepare the foundation for establishing “material” importance.
TBC as Your Compliance Partner
TBC is an IT Solutions Provider headquartered in Scottsdale, Arizona. With over 27 years of experience in cybersecurity, data backup and disaster recovery, infrastructure management, preparing roadmaps to ensure security maturity, and preparing clients to fight cyber incidents, we are confident that we can help you comply with the new SEC rules.
Even if your organization is not publicly traded, you are not off the hook for cybersecurity preparedness. The new SEC rules offer a framework of cyber responsibility and leadership accountability that you may want to deploy within your organization. Ransomware remediation is time-consuming and expensive, but process preparation, risk management, data disaster recovery, and cybersecurity solution implementation are the keys to recovering data and operations more quickly after an attack.
While the SEC wants to promote cyber preparedness through transparency and disclosure reporting, TBC wants to help you mature your security strategy and implementation program with internal controls, tested processes, experienced resources, and the right technology to do security right, every time.