The SEC has recently proposed several changes to the Cybersecurity Incident and Governance Disclosure Obligations for Public Companies intended to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”
The pending regulations escalate the need for public companies to employ and utilize leaders with infosec expertise on their executive teams and boards. And they potentially create opportunities for security-focused IT providers that are equipped to fill these gaps either through consulting or vCISO roles.
The Changes You’ll See
While the exact language of the new regulations is yet to be finalized, the prevalence of cyberattacks and public companies’ overall lack of cybersecurity have perpetuated the need for governmental intervention to protect stakeholders and customers. The public toll alone is staggering: Cybersecurity Venture’s official 2022 Cybersecurity Report predicted that the cost of cybercrime will hit the $8 trillion mark in 2023, representing a 15% increase from 2022.
Consumers want to know their data is safe, business owners want to protect their companies and customers, and stakeholders want to know their investments are secure. These SEC proposals serve to help accomplish these goals, but what do they mean, in practice, for businesses?
The Changes the SEC has Proposed will Primarily Impact:
- Disclosure Requirements: Companies will need to provide periodic disclosures about their policies and procedures to identify and manage cybersecurity risks.
- Board Oversight: Companies must also document and share information on the board of directors’ expertise and oversight of any risk. Management’s role in implementing cybersecurity practices must also be disclosed, therefore necessitating infosec leadership at the executive level.
- Incidence Response: Any cyberattacks must be properly documented on a Form 8-K within four days of the breach and any previous material incidents must also be disclosed and updated consistently. There is some concern that the increased reporting requirements will take valuable time away from both implementing cybersecurity practices and responding to a breach, further proving the need for companies to seek infosec leadership for quick and knowledgeable responses.
In short, these changes amplify the need for public companies to have leadership with cyber and information security expertise.
According to Brian Walker, Founder and CEO of Critical Asset Protection, 90% of public companies do not have anyone on their board or executive team with relevant information security expertise, whether a CISO, CIO, or other equipped resource. This proposal will disproportionately affect companies that fall into this majority.
On top of that, PWC lists cybersecurity risks and concerns as the top factor impairing innovation.
Companies looking to get ahead of these changes can:
- Reduce the risk of cyberattacks: The frequency and severity of cyberattacks are increasing, and one breach can be business-ending. Companies need to protect themselves, and these proposals will help ensure proper cybersecurity frameworks and practices are in place.
- Create transparency for investors and encourage board oversight: Investors and stakeholders are looking for companies that are cyber-ready – and a lack of transparency in this area could be a deal-breaker. As cybersecurity threats have increased, boards of directors’ fiduciary responsibilities have extended to the oversight of cybersecurity practices.
- Secure competitive advantages: Customers are increasingly expecting companies to take cybersecurity seriously and protect their data. Transparency and thoroughness in this area can give your company a competitive advantage.
- Avoid legal consequences: Just in case all the business benefits didn’t convince you, it’s important to know that companies that do not comply with these new regulations could face legal consequences such as fines and lawsuits.
The MS(S)P Advantage
A lack of executive-level expertise in public companies has led to SEC-mandated updates designed to keep customers and stakeholders out of harm’s way. Companies need to prepare for these changes and, more importantly, have infosec leaders in their corner, whether they come in the form of internal leadership, independent consultants, or outsourced board-level services. As the passing of new regulations gets closer, security-focused IT providers are well-positioned to fill these gaps.
Effective risk management and cybersecurity frameworks are critical for companies to protect themselves, their stakeholders, and their customers. These regulations will likely be implemented in May 2023, so now’s the time to get ahead of the game and make sure your company is prepared to meet the requirements of the necessary cybersecurity frameworks.
To learn more about how you can empower your clients to meet their cybersecurity obligations in an affordable way, while also growing your business, check out Apptega, the only GRC automation platform purpose-built for MSSPs.