SEC Actions and Information Security Leaders' Action Plan
WHAT: In the name of protecting investors, the SEC is now expanding their 2018 ruling and now are operating in “trust, but verify” mode with cybersecurity programs.
WHO: If you’re a CISO or CIO with Information Security responsibilities and you’re a public company If you’re thinking about going public soon. There is language for foreign reporters on the US market as well. Also the below will have a good amount of best practices for private companies who take Cybersecurity seriously.
WHEN: This should be top of mind now and Board visible TODAY as rules are in effect on December 18, 2023 (Smaller companies June 15, 2024).
HOW: Here are the steps you should take to work towards meeting these new guidelines.
Comprehend the Rule
-
- The final rule can be found here: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Talk to the Risk Committee on the Board.
If cybersecurity is not currently a significant component of your risk management strategy at the board and C-level, it is imperative to expedite action and approach. Delve through the new rules and mandates and build a to-do list for the CISO, D&Os, and Risk Management teams. The SEC is making it clear where the buck stops with Cybersecurity, make sure that it’s clear and formalized from the CISO to the Risk Management committee.
Take Stock of the Current Cybersecurity Program and Identify Gaps
Here’s a quick list of what I think your capabilities should be to feel comfortable in meeting the requirements of the Disclosure with a quick generalized statement which I would want to be comfortable saying to meet this rule and justify the cyber program to the public, the board, and company.
| Action Item | Generalized Statement | Must Have |
| Cybersecurity Risk Management is a part of Overall Risk Management with Understood Leadership, including Third-Party Risk Management | Our Board is responsible for cybersecurity risk. With extensive experience and training, we comprehensively analyze its impact on our operations and financial performance. We address cybersecurity quarterly and fully understand its risks to our business. |
|
| Risk Management and Data Governance | We have a complete understanding of our processes and systems and how they support our material financial statements. |
|
| Controls Mapping | Our key business risks for cybersecurity are mapping to individual controls and reviewed and updated regularly. |
|
| Incident Response Plan which is tested with specific material breach scenarios | Our Incident Response plan is tested with the leadership of the company on an annual basis with material breach scenarios |
|
| Cybersecurity Policies, Standards are Communicated and Published to the Company | Our Cybersecurity controls are published, well-known, maintained, and enforced across the company. |
|
| Annual Cybersecurity 3rd Party Assessments | Our annual cybersecurity assessments are taken seriously and risks are remediated according to our risk management policies. |
|
| SecOps: formal Security Monitoring, Detection, and Response Processes | Our risk assessments, security operations, key controls are mature enough to disclose publicly. |
|
| Cybersecurity Awareness Training | Our company is fully trained on cybersecurity awareness, our policies, and best practices. |
|
Finally, Get Investment and Execute
If you’re like most companies, you’re probably underfunded and under resourced. Well lucky for you, some CISO somewhere made a wish and the monkey’s paw curled. Put on your business and risk management hat and put together a complete business case to get this over the line and ask for that investment and build that rapport with your board.
Consequences for not will basically be the equivalent of the Cybersecurity Program will have no clothes in addition to as well as the fines and enforcement and investor perception. Public 8-Ks following up breaches is hard enough, but getting in trouble with the SEC for compliance is a headache I don’t want to deal with.
How Can We Help?
If you are struggling to understand the regulation and requirements, need another set of eyes, or someone to come in and lead these efforts, give us a call and reach out. We’ve been in your shoes before and are glad to help. At Class IV, we’re here for you. Feel free to contact us with any questions you might have.
