Yesterday, the U.S. Securities and Exchange Commission (SEC) adopted new rules for Cybersecurity Risk Management, Governance, and Incident Disclosure. Starting now, transparent and timely disclosure of cyber risks and incidents are now a clear mandate from the SEC. Cybersecurity—at the board level—is a must-have and CISOs will need direct communication lines with the Board.
In this 3-2 vote, the SEC approved major steps forward, including organizations being required to disclose cyber incidents within four days of determining the criticality of the incident. The final requirements can be found here.
Key Takeaways
There is a lot to absorb in this ruling, so we’ve highlighted a few key, high-level takeaways from the final rule here.
- Organizations must disclose material cyber incidents within four days of determining the criticality of the incident. Exceptions do exist, including in the event that the Attorney General determines there is a public safety or national security, in which case the Attorney General can request a delay.
- Organizations must outline, “in sufficient detail for a reasonable investor to understand those processes,” what processes are in place for “assessing, identifying, and managing material risks.”
- Organizations must disclose board oversight for cyber risk(s) and any committees in place to specifically focus on it.
- Disclosure of the management team’s expertise, in addition to processes that exist internally, for identifying and remediating cyber risk to the board.
- Disclosure of if and how the management team reports on cyber risk to the board.
Impact
To be in a position to responsibly comply, it is imperative that organizations have the process, plans, and policies in place to identify, assign criticality to an incident, and quickly mitigate and remediate the weakness exploited to ensure they can meet the four-day reporting requirement. Among other things, that could require organizations to:
- Provide a clear, unambiguous method for the public at large to report vulnerabilities under safe harbor, as well as a process for validating, prioritizing, and remediating them.
- Do continuous, proactive stress testing of the attack surface to uncover hidden risk–going beyond what passive scanning can achieve today.
- Do high-intensity (human-driven) penetration testing more frequently, going beyond traditional compliance-driven goals.
- Install a remediation process that keeps pace with today’s continuous development cycles.
- Adopt rich reporting and analytics to enable KPIs for tracking all of the above.
According to Bugcrowd CTO and Founder Casey Ellis, “the balancing act between transparency and security underpins the complex landscape of modern digital threats, and to see the SEC acknowledging this fact and driving policy in this direction is a hugely positive thing, despite the complexity it involves. The SEC’s new rules around heightened cybersecurity transparency for publicly traded companies are a double-edged sword—while the drive for standardized disclosure is a positive step in risk management, enhancing investor awareness, and bolstering corporate governance and public confidence, the regulation’s insistence on rapid public reporting of material cyber incidents potentially introduces a significant security threat, and incentivizes a range of other unintended consequences. Disclosure before a breach has been adequately contained or mitigated could provide attackers with crucial information, exacerbating the breach’s damage and the improving an attackers ability to evade prosecution. As companies adjust to these new standards, the onus is on corporate communications, legal, and security teams to collaborate effectively, ensuring robust risk management processes are in place, while also being prepared to act swiftly when breaches occur.”
As hackers continue to play a vital role for organizations looking to deploy security solutions, increased regulatory action will continue to provide more opportunities to do so. The need for hackers has never been higher in organizations, as the collective creativity and expertise of hackers helps organizations expand their security capabilities quickly.
How Bugcrowd Can Help
A “checkbox” approach to security is no longer good enough. Organizations should adopt risk-reducing security measures such as Bug Bounty programs, high-impact Penetration Testing as a Service, and Vulnerability Disclosure Programs (VDP) to support a security strategy that is as relentless as the constant threat landscape–ideally, via a unified SaaS platform that is fully integrated with DevSec workflows. Find out more about how Bugcrowd can help you stay compliant with this SEC rule here.