What Do CISOs Have to Do to Meet New SEC Regulations?

Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer, but the past few months have felt particularly challenging.
The recent charges from the US Security and Exchange Commission against SolarWinds' CISO is the first time a CISO has been singled out in this way by the agency.
Companies traded on US exchanges must comply with the SEC's new cybersecurity disclosure and incident reporting rules starting now, and qualifying smaller companies must comply with the incident reporting rules in spring 2024.
These changes put organizational security programs under even greater scrutiny and add to the load of responsibilities CISOs must track.
It's no surprise that many CISOs are feeling more pressure than ever.
These new rules and liabilities do not necessarily need to be a hindrance to a CISO's work - in fact, they can actually be a source of support for CISOs.
SEC rules around cybersecurity disclosures and incidents have historically been somewhat hard to discern.
By clarifying requirements for disclosing security risk management programs, governance, and cyber incidents, the SEC is providing CISOs with a guidebook.
The SEC's increased expectations for risk management and governance may give CISOs greater standing to demand internal resources and processes to meet those expectations.
New requirements for publicly traded companies to disclose risk management practices to investors create additional incentives to strengthen proactive cybersecurity defenses.
Even before they went into effect, the SEC's new rules have heightened awareness of cybersecurity practices among company boards and non-CISO company leadership, which will likely translate to more expansive cybersecurity resourcing.
Public companies with robust security programs that include continuously identifying and mitigating vulnerabilities may be more attractive to investors from risk management, security maturity, and corporate governance perspectives.
At the same time, companies that take a proactive stance to reducing security risk - for example, implementing and appropriately resourcing cybersecurity best practices like those contained in ISOs 27001, 29147, and 30111 - are less likely to suffer material cyberattacks that damage the company's brand.
This new regulatory landscape represents an opportunity for CISOs to take stock of their internal reporting procedures and make sure they're up to par.
If publicly traded companies do not already have procedures to escalate significant security issues to executive management, these processes should be established immediately.
CISOs should help prepare disclosures about company risk management processes, and also help ensure the company's public statements about security are accurate, fulsome, and not misleading.
While an incident responder may be used to assessing the security implications of an incident, such as how many records were impacted, how many unauthorized users had access, or what type of information was at risk, they may be less accustomed to thinking about the broader implications for the company.
That's why many companies are putting protocols in place - such as referral to an internal committee made up of security professionals, lawyers, and members of the C-suite - to assess not just the security risk caused by an incident, but the impact to the company overall.
An interdisciplinary team is more likely to be able to assess whether the incident exposes a company to liability, affects the company's financial position, disturbs the relationship between company and its customers, or affects the company's operations due to unauthorized access or disruption in service, all of which are relevant to the materiality determination.
With some conscientious adjustments to standard operating procedures, CISOs can adapt effectively to this new regulatory climate without drastically increasing workloads or compounding already high levels of stress.


This Cyber News was published on www.darkreading.com. Publication date: Mon, 18 Dec 2023 23:10:16 +0000


Cyber News related to What Do CISOs Have to Do to Meet New SEC Regulations?

Proofpoint's CISO 2024 Report: Top Challenges Include Human Error & Risk - In Proofpoint's 2024 Voice of the CISO report, the cybersecurity company found that CISOs are dealing with people-centric threats more than ever. Plus, cybersecurity budgets often don't change, and AI can help and hurt CISOs' efforts. Regarding the ...
6 months ago Techrepublic.com
Human error still perceived as the Achilles' heel of cybersecurity - While fears of cyber attacks continue to rise, CISOs demonstrate increasing confidence in their ability to defend against these threats, reflecting a significant shift in the cybersecurity landscape, according to Proofpoint. CISOs' confidence is ...
6 months ago Helpnetsecurity.com
How the Evolving Role of the CISO Impacts Cybersecurity Startups - It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives. The CISO role has evolved dramatically in the past few years in response to ...
1 year ago Darkreading.com
What Do CISOs Have to Do to Meet New SEC Regulations? - Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer, but the past few months have felt particularly challenging. The recent charges from the US Security and Exchange Commission ...
11 months ago Darkreading.com
Top 3 Priorities for CISOs in 2024 - As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues. This year - with a multitude of new privacy laws, Securities and Exchange Commission ...
10 months ago Darkreading.com
What CISOs Need to Know About Data Privacy in 2024 - While consumers continue to demand stronger personal data protections, companies are scrambling to keep track of an ever-evolving patchwork of applicable laws and regulations. In this environment, cybersecurity professionals need to understand the ...
10 months ago Cybersecurity-insiders.com
The New CISO: Rethinking the Role - Dating back to the 1990s, the role of CISO was more technical and IT-focused. CISOs face more risks than can be resolved, are expected to balance security with operational capability, and must convince leaders to invest in protection. Today, CISOs ...
8 months ago Darkreading.com
Navigating the New Age of Cybersecurity Enforcement - Many equate this move as akin to a bomb going off for people working in the CISO role. CISOs are now faced with unprecedented potential liability risks, prompting the need for a proactive approach to legal exposure for security executives. To shed ...
10 months ago Darkreading.com
Soft Skills Every CISO Needs to Inspire Better Boardroom Relationships - In a recent survey of CISOs, 86% of respondents said the role has changed so much that it's almost become a different job altogether from what it once was. In addition to their traditional responsibility of defending organizations from an ...
11 months ago Darkreading.com
Overtaxed State CISOs Struggle with Budgeting, Staffing - Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to ...
2 months ago Darkreading.com
Security tools fail to translate risks for executives - Organizations are struggling with internal communication barriers, which hinder their ability to address cybersecurity threats, according to Dynatrace. The results indicate that CISOs encounter challenges in aligning security teams with the C-suite, ...
6 months ago Helpnetsecurity.com
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
11 months ago Cybersecurity-insiders.com
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
1 year ago Darkreading.com
CISO Corner: Deep Dive Into SecOps, Insurance, & CISOs' Evolving Role - Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing ...
10 months ago Darkreading.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
11 months ago Techrepublic.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
Why CISOs and CIOs Should Work Together More Closely - Although there are overlaps in the goals and responsibilities of the CIO and the CISO, there are also challenges that get in the way of a more cohesive relationship, including reporting lines, organizational structures, budgets, and risk appetites. A ...
11 months ago Feedpress.me
Navigating eSIM Policies and Regulations - As eSIM technology becomes more widely adopted, we can expect to see even more devices and carriers offering support for this new generation of SIM cards. eSIM, which stands for embedded SIM, is a new generation of SIM card technology that's soldered ...
11 months ago Hackread.com
CISOs Reconsider Their Roles in Response to GenAI Integration - Chief information security officers face mounting pressure as cyberattacks surge and complexities surrounding the implementation of GenAI and AI technologies emerge. The vast majority - 92% - of the 500 CISOs surveyed by Trellix admitted they are ...
6 months ago Securityboulevard.com
Understanding The Impact of The SEC's Cybersecurity Disclosure Regulations - Corporate security and compliance teams are scrambling to understand the implications of the U.S. Security and Exchange Commission's recently announced cybersecurity disclosure and reporting regulations. While the need to report 'material ...
11 months ago Cyberdefensemagazine.com
How CISOs Can Secure High-Level Executives: Keys to Consider - Securing high-level executives is a difficult task for CISOs for a number of reasons. Executives often have access to a large amount of sensitive data and play a critical role in an organization’s success, so protecting them from cyber threats is ...
1 year ago Csoonline.com
How to Minimize Friction in the Cyber Compliance Certification - Certification has always been a great way for companies to establish trust with their customers. While there's certainly an argument to be made that certification doesn't necessarily make your company more secure, today's buyers need to know that ...
11 months ago Cybersecuritynews.com
CISOs on alert following SEC charges against SolarWinds - While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward. In late October, the SEC charged ...
10 months ago Techtarget.com
The CISO Role Is Changing. Can CISOs Themselves Keep Up? - The role of chief information security officer has expanded in the past decade thanks to rapid digital transformation. Now CISOs have to be far more business-oriented, wear many more hats, and communicate effectively with board members, employees, ...
8 months ago Darkreading.com
CISOs Growing More Comfortable With Risk, But Better C-Suite Alignment Needed - PRESS RELEASE. SANTA CLARA, Calif., June 25, 2024 /PRNewswire/ - Netskope, a leader in Secure Access Service Edge, today published new global research that finds that shifts in the cyber threats landscape have changed the way today's Chief ...
5 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)