The SEC’s Role in the Shift Towards Greater Transparency in Cybersecurity
Since 1934, the Securities and Exchange Commission (SEC) has regulated and enforced federal securities laws in the US. And as the importance of cybersecurity continues to grow in the last decade, it naturally led the SEC to expand its focus on the cybersecurity industry. How that conversation started? Well, with a roundtable.
In March 2014, the SEC held a roundtable to discuss how the increased focus on cybersecurity has raised questions about the effective management of cybersecurity threats. Particularly, in the disclosure of threats and incidents by public companies. Key points of the discussion included (1) the challenges cybersecurity poses for market participants and public companies, and (2) how they are addressing these concerns.
In an effort to address these concerns, the SEC actively proposes new regulations for the disclosure of cybersecurity. As a result, the business world is experiencing a shift in the way they approach cybersecurity:
- Greater investment in cybersecurity measures
- A more rigorous approach to risk assessments
- Greater transparency and accountability for security incidents
Related Resource:
Overview of the Latest Proposed SEC Regulations and Disclosure Requirements
In response to several high-profile cyber attacks, the SEC proposed a broad suite of new regulations in March 2022 and March 2023. Both aim to further promote transparency and encourage public companies, and covered entities alike, to take cybersecurity risks much more seriously in the new year.
It is important to note that “covered entities” in this case refer to organizations that are subject to SEC regulations as publicly traded company or if they engage in certain activities that fall under SEC jurisdiction.
Now, let’s take a deeper look into what it could mean if these proposed regulations were to be adopted.
If these proposed rules are approved, public companies will have to disclose:
-
The types of cybersecurity incidents (i.e. malware, phishing, etc.) that the company has experienced in the past →
-
What this provision means: Companies must provide details regarding the nature, scope, and impact of such incidents, including the type of attack, the duration of the breach, and the data or systems affected. This disclosure requirement also includes their response to the incident – the steps taken to mitigate the damage, restore services, and prevent similar incidents from occurring in the future.
-
Why this is important: A study by IBM found that companies who disclosed a breach within 30 days saved an average of $1 million compared to companies who took longer to disclose. This suggests that timely disclosure can not only help protect a company's reputation, but can also have a positive impact on the financial cost of the incident. Reviewing how a company addresses an incident from pre-attack to post-attack can help stakeholders better evaluate a company's risk profile and assess its ability to handle future cybersecurity incidents.
-
Example: March 2022 – Okta Breach → Okta Inc., an authentication company used by thousands of organizations across the world, was at the center of a potential data breach caused by the data extortion group, Lapsus$. On March 21, 2022, the threat actor posted screenshots of the group’s operators inside Okta’s internal systems via Telegram. The screenshots also show Okta’s Slack channels, as well as another internal system with a Cloudflare interface. This affected a small percentage of customers – approximately 2.5%. By issuing a statement about the breach, Okta demonstrated a commitment to full transparency, not only to stakeholders but also to their customers. Despite the impact on the company's reputation, this act of taking ownership and rapid response to the incident helped to mitigate the reputational damage on Okta’s brand.
-
How the company measures and manages cybersecurity risk →
-
What that provision means: Companies must provide an overview of the policies and procedures they use to identify, evaluate, and manage potential threats to their systems and data. This includes an outline of their approach to cybersecurity risk management – the technologies, tools, and methods employed to prevent, detect, and respond to security incidents.
-
Why this is important: A 2020 report by the National Association of Corporate Directors (NACD) found that 58% of investors believe that cybersecurity risks should be discussed at every board meeting, highlighting the importance of transparency and communication around cybersecurity risk management. By disclosing these details, companies can enhance investor confidence in their cybersecurity posture and, ultimately, their overall business operations.
-
Example: February 2023 – Microsoft Breach → Earlier this year, Microsoft released patches that address 56 vulnerabilities across multiple products, including Windows, Microsoft Office, and Microsoft Defender. These patches aim to fix critical security flaws that could allow threat actors to carry out remote code execution, privilege escalation, and information disclosure attacks. By releasing patches to address vulnerabilities, Microsoft is providing its users with the means of protecting their systems from potential attacks that could compromise sensitive information and cause significant damage. The release signifies a shift towards immediate cybersecurity transparency for enterprises – emphasizing the urgency of installing updates promptly to ensure the continued security of systems and to prevent unauthorized access by threat actors.
Similar to public companies, covered entities will have to disclose:
-
Past and present cyber incidents to the SEC within 48 hours of discovery →
-
What this provision means: Covered Entities will be required to immediately notify the SEC in writing of a significant cybersecurity incident when they have reasonable grounds to believe that one has occurred or is occurring. In addition, companies must submit detailed information about the incident and their response to it using the proposed Form SCIR, which must be filed promptly and updated if new material information is discovered or upon resolution of the incident. A significant type of cybersecurity incident is defined as one that significantly disrupts or degrades the entity's critical operations or leads to unauthorized access or use of information resulting in or likely to result in substantial harm to the entity, its customers, or other parties interacting with the entity. The filings will be confidential to the extent permitted by law.
-
Why this is important: This allows the SEC to take swift action to protect stakeholders and the integrity of the markets. Prompt notification enables the SEC to better understand the nature and scope of the incident, assess the potential impact, and coordinate with other agencies and market participants to mitigate any potential harm.
-
Two types of public disclosures that are easily accessible on the company’s website →
-
What this provision means: The first disclosure includes a simple and clear explanation of cybersecurity risks that can potentially impact the entity's business and operations. This also includes an assessment of how these risks are prioritized and addressed. The second disclosure summarizes all significant types of cybersecurity incidents that took place during the current or previous calendar year. This must include the following details:
-
The number of people affected
-
The date of discovery
-
The ongoing status
-
The data breach
-
The impact on operations
-
And the current remediation status
The SEC has cautioned that excessive disclosure could increase the risk of future attacks, so only high-level disclosures and summary descriptions are required.
-
Why this is important: Because trust does not come easy these days. Especially when 71.1 million people fall victim to cyber crimes yearly. By creating these two public disclosures, covered entities create a thicker layer of trust with their stakeholders and customers – not only because it could be a regulatory mandate, but also because it is a fundamental part of responsible corporate governance.
-
An overview of the policies and procedures the company uses to identify, evaluate, and manage potential threats to their systems and data→
-
What that provision means: Covered entities will need to have written policies and procedures for an incident response program. More specifically, one that effectively detects, responds to, and recovers from unauthorized access or use of customer information. This program evaluates the severity of each incident and implement measures to contain and manage it accordingly. If customer information is compromised, the incident response protocol must be activated. The SEC emphasized that the proposed regulations allow for flexibility, as each company must customize its program to address its specific situation without being bound by specific procedures.
-
Why this is important: According to an ENISA report, when considering targeted assets, in 66% of the incidents attackers focused on the suppliers’ code in order to further compromise targeted customers. By having a well-designed and comprehensive incident response plan in place, it can help companies prepare and respond effectively to potential data breaches. This can extend to an organization’s third-party suppliers as well.
Related Resource:
Potential Impacts If and When the Newly Proposed SEC Regulations are Adopted
-
Compliance costs: Prioritizing cybersecurity will require a dedicated budget. Companies may incur additional costs to comply with the new rules, including the costs of gathering and analyzing the required data.
-
Competitive pressures: Companies that are slow to address their cybersecurity risks may face increased competition from more cybersecurity-conscious competitors.
-
Reputational risks: With greater exposure, comes greater scrutiny. Companies that fail to adequately address their cybersecurity risks may face reputational damage and potential backlash from investors, customers, and other stakeholders.
Potential Limitations Stakeholders Could Be Facing with the Proposed SEC Regulations
The intent of these proposed rules is to protect the greater public – hold companies accountable and protect individuals. But as with many regulations, there are limitations.
That said, there is a degree of ambiguity around what covered entities are obligated to disclose and how they should disclose it. For example:
-
Different industries face different cyber risks → While all industries are susceptible to cyber risks, each have unique risk profiles with different levels of confidentiality and security, making it difficult for stakeholders to compare the cybersecurity postures of different organizations across industries.
-
Companies may measure their risks differently → There is no one-size-fits-all method to measure risk, so for a stakeholder to know whether a particular company's risk measurement strategy is comprehensive or accurate is difficult to determine.
-
The definition of long-term risks and opportunities is open for debate → Long-term risks and opportunities being a subjective matter makes it difficult for organizations and stakeholders to determine how they should plan and invest for their cybersecurity needs.
But there is a bright side to this – the SEC cybersecurity regulations are put out to continue building upon or revising what is already in place. For organizations looking for guidance, this disclosure document can serve as a starting point for ongoing conversations and improvements for cybersecurity transparency practices.
Related Resource:
Cybersecurity Transparency – How These SEC Rules Impact Private Companies
When the government initiates regulatory changes like greater cybersecurity transparency, it becomes the standard in the private sector as well. Here is what that could look like:
-
Increased expectations from stakeholders: Private companies may face increased expectations from stakeholders such as customers, suppliers, employees, and investors to disclose information about their cybersecurity risks and strategies, similar to publicly traded companies.
-
Competitive pressures: There could be a demand for cybersecurity assurance. Private companies that do step up to the plate and measure their risks will become more ideal to stakeholders than those who chose not to.
-
Reputational risks: Private companies that decide to not adequately address their cybersecurity risks may face reputational damage and potential backlash from stakeholders.
-
Potential regulatory changes: While the proposed rules from the SEC only apply to publicly traded companies, regulatory changes like the ones covered in these proposed SEC rules may show up in other compliance measures (such as HIPAA, HITRUST, and CMMC) that DO impact private sector entities.
How Avertium Can Help
Avertium spans every phase of the security lifecycle – prepare, prevent, detect, and respond. Using learnings from each stage to inform each other, we help you bring context to the chaos of cybersecurity.
For organizations looking to start building out their security department, the Avertium team can help you…
-
Understand current vulnerabilities and fulfill compliance requirements via a risk assessment: Avertium can conduct a comprehensive risk assessment that identifies vulnerabilities, threats, and potential risks to an organization's network, systems, and data. As a result, this can help your organization prioritize its security investments and implement effective controls to mitigate identified risks.
-
Get visibility into the health of your cybersecurity program and build cybersecurity resilience via penetration test: Avertium can help you employ the tactics, techniques, and procedures (TTPs) that hackers use to test your network’s ability to withstand attacks. By having a friendly expert probe for vulnerabilities, they are more likely to be discovered in the pen test than in an actual attack. To simply put it, better a trusted advisor to find them than a bad actor.
-
Detect suspicious activity with security monitoring and management: Get continuous monitoring and management of your organization's network and systems to detect and respond to security incidents in real-time before it causes any significant harm.
-
Respond rapidly during an incident: In the event of a security breach, Averitum can provide incident response services to help your organization contain the incident, investigate the root cause, and remediate the issue, minimizing the impact of the incident.
-
Continuously manage your compliance: No more scrambling to address vulnerabilities ahead of an audit. Avertium’s continuous, proactive approach to PCI compliance helps organizations comply with relevant regulatory and industry standards by providing ongoing assessments, audits, and reporting.
If you need a more advanced security solution, Fusion MXDR is your next stop. Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-informed XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
Contact us to learn more.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.