As the Security and Exchange Commission gets tough on businesses' cybersecurity posture, IT security leaders will need to beef up incident response plans-a notable challenge for organizations currently lacking in this area.
The rules also require annual reporting on cybersecurity risk management, strategy and governance, all established to strengthen transparency for investors and regulators alike.
The four-day requirement, while controversial in the cybersecurity industry, is consistent with other material reporting requirements by the SEC, which include definitive agreements, bankruptcy and so on.
Dave Gerry, CEO at Bugcrowd, explained that this is an important point as it provides more time for organizations to truly understand the materiality and impact of the incident prior to disclosing it.
He added that while the SEC is creating rules around disclosure, it is still up to individual organizations to ensure their cybersecurity defense strategies are sufficient to manage their risk.
While many organizations have adopted vigorous cybersecurity processes and policies, this additional disclosure requirement coming from the SEC should lead to more robust practices overall.
From his perspective, organizations must proactively develop processes to comply, ensure they run regular training and tabletop exercises and have strong collaboration inside their organization.
This includes legal, PR, investor relations, product development, cybersecurity and back office teams.
Claude Mandy, chief evangelist, data security at Symmetry Systems, pointed out that organizations have already invested or are investing in measures to determine the potential materiality of an incident.
This means organizations must be able to swiftly determine the potential impact of a breach, even from the compromise of a single account.
Joseph Carson, chief security scientist and advisory CISO at Delinea, agreed that organizations must now be more proactive in determining the material impact of cybersecurity incidents to the business rather than discovering this later in the courts.
While most organizations have a significant amount of cybersecurity incidents every day, they will need to now ensure they clearly classify incidents that have a material impact.
He noted that cybersecurity is no longer just an IT or technical issue, but it has quickly developed into a business issue as more businesses are heavily dependent on their digital services.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 08 Jan 2024 13:43:04 +0000