Cybercrime has become increasingly costly for organizations of all sizes. High-profile security breaches have made it clear that many, if not most, organizations are vulnerable to cyber criminals. Because of the increased risks of data breaches, on March 9, 2022, the Securities and Exchange Commission (SEC) proposed new cybersecurity disclosure requirements intended to increase the transparency of publicly traded organizations’ cybersecurity practices to their investors.
The proposed SEC rule will require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cybersecurity risk, a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and management’s role in implementing the company’s cybersecurity policies and procedures. Preparing now for these changes is critical.
Who Is Affected by the SEC’s New Cybersecurity Laws?
The updated SEC cybersecurity rule is designed to provide the public with improved transparency on company data breaches when they occur and provide timely notification of cybersecurity incidents. Because compliance and cybersecurity are intertwined, the SEC’s rule change will affect several parties, including:
Investors. Investors must be informed about risks, security measures, and responses to data breaches.
Executives. Executives must strengthen their security, detection, and reporting processes. Building stronger communication between cybersecurity executives and board members is essential.
Boards of Directors. The new SEC regulations will change the board’s role when it comes to cybersecurity. Board members will need to enhance their oversight of cybersecurity measures.
Information Security Teams. IT security teams must strengthen their data breach detection and reporting capabilities.
What Companies Must Do
The SEC’s new rule will require public companies to report “material cybersecurity incidents” within four business days after determining that an event has occurred. Companies must also provide periodic updates of previously reported incidents and share their cybersecurity risk management policies and procedures.
Three Ways to Prepare
Although the SEC’s proposed rule changes have not been made official, organizations can and should take steps to prepare for potential rule enforcement.
1. Establish Written Cybersecurity Plans, Policies, and Procedures
It’s essential to revisit your existing cybersecurity policies to ensure that they provide effective disclosure controls and procedures. These policies will be critical to promptly assessing and escalating detected cybersecurity incidents. Reviewing and updating policies will provide the correct processes, oversight, and compliance with new disclosure requirements.
2. Review Board Oversight
While your company may already include disclosure in the board’s role in overseeing cybersecurity risk in their proxy statements, the proposed rule changes introduce a broad set of board-related topics that must be addressed. Boards that still need to delegate responsibility for overseeing cybersecurity disclosures to a specific committee will need to consider whether it’s an appropriate step to ensure compliance. You should also assess the time the board currently devotes to addressing cybersecurity during meetings. If more time and attention from the board should be devoted to cybersecurity, take steps to implement those changes now.
3. Minimize your Risk
The best way to protect your company and prepare for any new SEC rule change is to minimize the risk of security breaches in the first place. Executives, legal teams, and CFOs should lobby their organizations to enlist the help of an experienced cybersecurity and compliance partner. An experienced cybersecurity consulting firm can help audit and amend your policies and procedures to help reduce the risk of phishing, ransomware, and other cyber attacks. They can also help train your employees and ensure that your in-house IT professionals stay up-to-date on evolving cybersecurity risks.
What More Should You Do?
It’s never too soon to start working to improve your organization’s data security. Working with an experienced and reputable IT consulting business is crucial for protecting your company. Improving and implementing cybersecurity policies and practices should not be left to your information technology or cybersecurity team. These changes have company-wide implications that will likely impact many policies and procedures throughout your organization. It’s essential to work with an experienced cybersecurity consulting firm with the experience to help you navigate these critical changes.
How Can Fortify IT Solutions Help?
It’s essential to take steps now to ensure your organization complies with the updated SEC compliance rules and regulations. Fortify IT Solutions has years of experience developing policies, procedures, and assessments to improve organizational security. We can provide ongoing maintenance, penetration tests, risk assessments, training, and more. Contact us online or call 856-512-1949 to schedule an appointment with one of our expert project managers.
We look forward to connecting with you and showing you how we can bring you the IT services you need and the expertise you deserve.