Critical milestone: how new SEC rules affect business cybersecurity

In 2023, the Securities and Exchange Commission (SEC) implemented new cybersecurity disclosure rules. These regulations mandate the disclosure of "material" threat and breach incidents within four days of occurrence, along with annual reporting on cybersecurity risk management, strategy, and governance.

The introduction of the new SEC cybersecurity requirements represents a critical milestone in the continuous fight against cyber threats. In 2023, chief information security officers (CISOs) revealed that three out of four companies in the United States were vulnerable to a material cyberattack. Consequently, cybercrime remains one of the foremost risks confronting US-based companies. Additionally, in the same year, nearly seven out of ten organizations in the United States experienced a ransomware attack within the preceding twelve months.

Cyberattacks pose significant risks to businesses, primarily in terms of financial damage. In 2024, cybercrime is projected to cost the United States alone more than $452 billion. Additionally, the loss of sensitive data is a consequential outcome of cyberattacks. In 2023, the United States ranked third globally in the percentage of companies reporting the loss of sensitive information.

Furthermore, data compromise incidents affected approximately 422 million individuals in the country in 2022, totaling 1,802 incidents. The US is recognized among the countries with high data breach density. Beyond financial and data loss implications, businesses are also wary of reputational damage, significant downtimes, and the potential loss of current customers, all of which can affect a company’s valuation and overall standing.

Rise of awareness

Having in mind growing risks and new SEC rules, companies are strengthening their defenses, shows a recent report by Infatica, a provider in the proxy service market. According to the company’s data, the demand for proxy services searches has jumped by 106,5% over the last year. The reason behind this trend is proxies’ ability to imitate cybersecurity attacks. Therefore, using this technology companies can test their defenses.

The growing interest in proxy servers is not limited to seeking enhanced security measures alone. Searches for “free web proxy server” have risen by 5,042.9%, indicating a widespread pursuit for accessible solutions that offer anonymity. Meanwhile, the demand for “proxy server list” and “anonymous proxy server” has also seen significant upticks of 80.6% and 414.3%, respectively, highlighting the importance of reliable and discreet online operations.

While the SEC's cybersecurity rules primarily target publicly listed companies, many of these firms depend on smaller third-party software and supply chain providers. A cyberattack at any juncture within this chain could result in significant consequences. This is why non-public entities are compelled to bolster their defenses too.

Major gap

As businesses ramp up their activities, significant gaps remain evident. A staggering 81% of security leaders acknowledge the impact of the new rules on their businesses. However, only 54% convey confidence in their organization’s ability to comply effectively. Surprisingly, merely 2% of security leaders have initiated the process of adhering to the new rules. Approximately 33% are still in the early stages, while a striking 68% feel overwhelmed by the new disclosure requirements. 

Among the myriad challenges, determining the materiality of cybersecurity incidents stands out, with 49% of respondents highlighting its complexity. Additionally, 47% struggle with enhancing their disclosure processes, further complicating compliance efforts.

Here are several advices on how to prepare for complying with SEC cybersecurity rules:

1. Consolidate your cybersecurity risk data

With the new regulations mandating the disclosure of incidents upon discovery and comprehensive reports on cybersecurity strategy quarterly and annually, organizations must prioritize centralizing cybersecurity risk assessment and incident data. Consolidating this data into a single repository, rather than scattered across spreadsheet software or lost in email inboxes, increases the likelihood of meeting SEC deadlines and reduces the time spent gathering information from different departments and stakeholders for incident disclosure.

2. Acquire cyber risk quantification capabilities

Traditionally, organizations have used qualitative methods such as ordinal lists or red-yellow-and-green severity charts to assess the significance of cybersecurity incidents or other risk events. While the SEC recommends considering these assessments for incident materiality determination, quantifying cyber risk offers a more accurate insight into the financial impact of an incident. Understanding the quantified financial impact of cyber risks enables organizations to take necessary steps to mitigate costly risks or, ideally, prevent them altogether. This approach reduces the overall volume of disclosures required.

3. Optimize your incident management processes

It's an opportune moment to conduct a comprehensive review of your organization's incident management processes to ensure they are proficient in identifying, addressing, and reporting cybersecurity incidents. Streamlining and refining these processes facilitate the interception of cyber risks before they escalate into significant issues and enable swift reporting when necessary.

4. Enhance your cybersecurity and cyber risk governance

Ensuring compliance with the SEC's new regulations involves adequately informing your board of directors about your organization's cybersecurity risk management practices. Implementing robust reporting and communication processes is essential to regularly update leadership on cyber risk management efforts and any incidents experienced by the company. Furthermore, it's crucial to articulate how these incidents may impact or are already affecting the organization's strategy and finances.

5. Secure your third-party relationships

The updated regulations emphasize the importance of assessing cyber risk beyond the confines of your organization. Meeting the requirements for reporting on third-party cyber risk assessment and secure vendor selection underscores the necessity of establishing an effective third-party risk management program. Indeed, supply chain attacks aimed at smaller contractors and vendors frequently rank among the primary causes of cybersecurity incidents at larger organizations.

6. Improve a cyber risk culture within your teams

Digital transformation has significantly impacted nearly every organization, particularly in the years following the COVID-19 pandemic, which accelerated the shift of work and life online. Consequently, there has been a surge in employees connecting to organizational networks from various locations and devices, significantly expanding our cybersecurity attack surfaces. This shift underscores the critical importance of fostering a culture of cybersecurity risk awareness where cybersecurity is seen as everyone's responsibility, not just the purview of the information security team. The more awareness of the threat posed by cyber risks that an organization can instill in its members, the stronger its overall cybersecurity posture will be, reducing the time needed to disclose incidents to the SEC.

While SEC regulations pose challenges, they also present opportunities. Following rules, can decrease the cybersecurity of the companies, enhance investor confidence, attract capital investment, and contribute to long-term business sustainability.

We've listed the best network monitoring tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro