In 2023, the Securities and Exchange Commission (SEC) implemented new cybersecurity disclosure rules. These regulations require disclosure of ‘material’ threat and breach incidents within four days of occurrence, along with annual reporting on cybersecurity risk management, strategy and governance.
The introduction of the new SEC cybersecurity requirements represents a critical milestone in the ongoing fight against cyber threats. In 2023, Chief Information Security Officers (CISOs) revealed that three out of four companies in the United States were vulnerable to a material cyberattack. As a result, cybercrime remains one of the biggest risks facing US-based companies. Additionally, in the same year, nearly seven in 10 organizations in the United States experienced a ransomware attack in the previous 12 months.
Cyber attacks pose significant risks to companies, especially in terms of financial damage. By 2024, cybercrime is expected to cost the United States alone more than $452 billion. Moreover, the loss of sensitive data is a consequence of cyber attacks. In 2023, the United States ranked third globally in the percentage of companies reporting the loss of sensitive information.
Furthermore, data compromise incidents affected approximately 422 million people in the country in 2022, for a total of 1,802 incidents. The US is recognized as one of the countries with a high density of data breaches. In addition to financial implications and data loss, companies are also wary of reputational damage, significant downtime and the potential loss of current customers, all of which can impact a company’s valuation and overall position.
Rise in consciousness
In the face of increasing risks and new SEC rules, companies are strengthening their defenses, according to a recent report from Infatica, a provider in the proxy services market. According to the company’s data, demand for searches through proxy services has increased 106.5% in the past year. The reason behind this trend is the ability of proxies to imitate cyber attacks. Therefore, companies can test their defenses using this technology.
The growing interest in proxy servers is not just limited to the search for improved security measures. Searches for “free web proxy server” increased by 5,042.9%, indicating a widespread push for accessible solutions that provide anonymity. Meanwhile, the demand for “proxy server list” and “anonymous proxy server” has also seen a significant increase of 80.6% and 414.3% respectively, highlighting the importance of reliable and discreet online operations.
Although the SEC’s cybersecurity rules primarily target publicly traded companies, many of these companies rely on smaller third-party software and supply chain vendors. A cyber attack at any time within this chain can have significant consequences. This is why non-public entities are forced to strengthen their defenses as well.
Big gap
As companies ramp up operations, significant gaps remain visible. A whopping 81% of security leaders recognize the impact of the new rules on their business. However, only 54% express confidence in their organization’s ability to effectively comply with regulations. Surprisingly, only 2% of security leaders have initiated the process of complying with the new rules. About 33% are still in the early stages, while as many as 68% feel overwhelmed by the new disclosure requirements.
Among the myriad challenges, determining the materiality of cybersecurity incidents stands out, with 49% of respondents highlighting its complexity. Additionally, 47% struggle to improve their disclosure processes, further complicating compliance efforts.
Here is some advice on how to prepare for compliance with SEC cybersecurity rules:
1. Consolidate your cybersecurity risk data
With new regulations mandating incident disclosure upon discovery and comprehensive cybersecurity strategy reporting on a quarterly and annual basis, organizations must prioritize centralizing cybersecurity risk assessment and incident data. Consolidating this data into a single repository, rather than being scattered across spreadsheet software or lost in email inboxes, increases the likelihood of meeting SEC deadlines and reduces the time spent gathering information from various departments and stakeholders for making incidents public.
2. Acquire cyber risk quantification capabilities
Traditionally, organizations have used qualitative methods such as ordinal lists or red-yellow-and-green severity charts to assess the significance of cybersecurity incidents or other risk events. While the SEC recommends considering these assessments when determining the materiality of incidents, quantifying cyber risk provides a more accurate understanding of the financial impact of an incident. By understanding the quantified financial impact of cyber risks, organizations can take the necessary steps to mitigate or, ideally, prevent costly risks altogether. This approach reduces the overall volume of required disclosures.
3. Optimize your incident management processes
It’s a good time to conduct a comprehensive assessment of your organization’s incident management processes to ensure they are proficient at identifying, addressing and reporting cybersecurity incidents. Streamlining and refining these processes facilitates the interception of cyber risks before they escalate into significant problems and enables rapid reporting when necessary.
4. Improve your cybersecurity and cyber risk management
To ensure compliance with the SEC’s new regulations, you must adequately educate your board of directors about your organization’s cybersecurity risk management practices. Implementing robust reporting and communication processes is essential to keep leadership regularly informed about cyber risk management efforts and any incidents the company is facing. Additionally, it is critical to clarify how these incidents could, or are already impacting, the organization’s strategy and finances.
5. Secure your relationships with third parties
The updated regulations emphasize the importance of assessing cyber risks beyond the boundaries of your organization. Meeting requirements for third-party cyber risk assessment reporting and secure vendor selection underlines the need to establish an effective third-party risk management program. Supply chain attacks targeting smaller contractors and suppliers are often among the leading causes of cybersecurity incidents at larger organizations.
6. Enhance a cyber risk culture within your teams
Digital transformation has had a significant impact on virtually every organization, especially in the years following the COVID-19 pandemic, which accelerated the shift of work and life online. As a result, there has been an increase in the number of employees connecting to organizational networks from different locations and devices, significantly expanding our cybersecurity attack surfaces. This shift underscores the critical importance of fostering a culture of cybersecurity risk awareness, where cybersecurity is viewed as everyone’s responsibility and not just the purview of the information security team. The more awareness an organization has of the threat cyber risk poses to its members, the stronger its overall cybersecurity position will be, reducing the time it takes to report incidents to the SEC.
While SEC regulations pose challenges, they also present opportunities. Following rules can reduce corporate cybersecurity, increase investor confidence, attract capital investment, and contribute to the long-term sustainability of companies.
We have listed the best network monitoring tools.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro