Are You Ready for Mandatory Cybersecurity Disclosure?
Here are the top 4 ways to prepare for the SEC’s recent cybersecurity proposal
Earlier this year, the SEC released recommendations for organizations suggesting disclosures surrounding cybersecurity. In the 129-page proposal, the SEC proposed rules for cybersecurity risk management, strategy, governance, and incident disclosure by public companies. If accepted, these rules would be put in place as amendments to existing reporting and disclosure requirements. The goal of the proposed amendments is to better inform investors on an organization’s risk management strategy and governance surrounding cybersecurity incidents.
Amendment Details
Mandatory cybersecurity disclosures can seem daunting for organizations. Here is the breakdown of what you need to know about the three key aspects of the proposed amendment:
Governance
The overall governance surrounding an organization’s security program is a major component of the proposed amendments. While we will get to the governance surrounding risk management and cyber incidents in a minute, from a broader perspective, these proposed rules would require transparency to determine if organizations are investing and prioritizing cybersecurity as a key business function and value. By requiring disclosure on cybersecurity expertise on an organization’s board of directors, investors can draw many conclusions as it relates to the priority level the organization is giving to cybersecurity. Understanding the board-level experience provides awareness to the board’s ability to provide guidance and insight to the CIO, CISO and other cybersecurity stakeholders.
Risk Management
Identifying and managing cybersecurity risk is currently not a required disclosure for organizations. Without an understanding of an organization’s approach to risk management, such as the policies and procedures for identification and management, investors are unable to use cyber risk management as a data point when deciding whether to invest in a company. For organizations that have a strong policy and procedure for cybersecurity risk management, this reporting requirement would add substantial value to a potential investor. For those that don’t, if the proposed amendment is approved, there will be significant benefit to investing in the improvement of the cyber risk management program.
Cybersecurity Incidents
With the proposed amendment, organizations would be required to report material cybersecurity incidents as well as provide updates on previously reported cybersecurity incidents. While the reporting of a cybersecurity incident brings risk to reputation, stock, public opinion and more, the way an organization handles the disclosure and overall response can also improve reputational opinions and business outlook. Nowadays, cyber incidents are likely to hit the media with or without the organization’s intent to publicly disclose the event. As a result, this portion of the proposed amendments does not have to be a daunting task, just something organizations can invest in as a proactive security task so that they are confident in their disclosure strategy when they do fall victim.
How to Prepare
- Assess Organization’s Current Priority of Cybersecurity
At the end of the day, the purpose of the recommended disclosures is to give investors an understanding of where cybersecurity falls on the priority list of an organization. Looking at an organization’s board to see where cybersecurity experience sits or where there is an opportunity to invest is an effortless way to prepare for the proposed amendments. Additionally, the investment will provide value beyond meeting a requirement, giving the organization the upper hand to improve overall cyber resiliency. - Assess Current Risk Management Approach
What policies and procedures are currently in place to guide the cyber risk management workstream? Being able to quantifiably show the risk management approach’s success and continuous improvement will be a key advantage to getting investors on board but also to minimizing cybersecurity risk across the enterprise. Showing investments that are made to minimize risk, such as investing in proactive products, will allude to the dedication and priority of cybersecurity in an organization. - Assess Current Incident Response Program
Primarily, organizations must have the mindset that it is not a matter of if but when their organization will fall victim to a cyber-attack. Once this mindset is understood, organizations can invest in a proactive incident response program to best prepare themselves to respond to a crisis. Drafting their overall response plan, playbooks for certain incidents, and disclosure statements, will minimize the inevitable stress and workload that comes with crisis management. Being ahead of the necessary disclosures required by the proposal will ensure your organization is able to handle their public disclosure and overall response strategy tastefully and at the best interest of the organization. - Ensure a Level of Assurance
The ability to quantify the overall success of an organization’s cybersecurity strategy, specifically as it relates to risk management, incident response, and overall governance, will be key for the SEC’s proposal. Investing in solutions that can provide a level of assurance to risk management will speak even louder to investors than showing a document with a written policy or procedure.
Here at Conceal, we can provide a level of assurance to both incident response and risk management. By undertaking activities to prevent, detect and minimize the effects of a cybersecurity incident through the web, we lower an organization’s overall cybersecurity risk while also maximizing the value and success of an organization’s incident response when they do fall victim. Our product’s ability to minimize the effect of an incident will make the overall disclosure and public backlash minimal. Find out how ConcealBrowse, ConcealSearch, and ConcealCloud can each provide unique value to achieving the SEC proposed amendments by scheduling a demo today.