SEC Actions and Information Security Leaders' Action Plan

WHAT: In the name of protecting investors, the SEC is now expanding their 2018 ruling and now are operating in “trust, but verify” mode with cybersecurity programs.

WHO: If you’re a CISO or CIO with Information Security responsibilities and you’re a public company If you’re thinking about going public soon. There is language for foreign reporters on the US market as well. Also the below will have a good amount of best practices for private companies who take Cybersecurity seriously.

WHEN: This should be top of mind now and Board visible TODAY as rules are in effect on December 18, 2023 (Smaller companies June 15, 2024).

HOW: Here are the steps you should take to work towards meeting these new guidelines.

Comprehend the Rule

1. The final rule can be found here: https://www.sec.gov/files/rules/final/2023/33-11216.pdf

1. With a great summary here: https://viewpoint.pwc.com/dt/us/en/pwc/in_briefs/2023/2023/seccybersecdisreq.html#pwc-topic.dita_1cda2ef0-296d-46f6-ac52-222b89ef01b0

Talk to the Risk Committee on the Board.

If cybersecurity is not currently a significant component of your risk management strategy at the board and C-level, it is imperative to expedite action and approach. Delve through the new rules and mandates and build a to-do list for the CISO, D&Os, and Risk Management teams. The SEC is making it clear where the buck stops with Cybersecurity, make sure that it’s clear and formalized from the CISO to the Risk Management committee.

Take Stock of the Current Cybersecurity Program and Identify Gaps

Here’s a quick list of what I think your capabilities should be to feel comfortable in meeting the requirements of the Disclosure with a quick generalized statement which I would want to be comfortable saying to meet this rule and justify the cyber program to the public, the board, and company.

Action Item	Generalized Statement	Must Have
Cybersecurity Risk Management is a part of Overall Risk Management with Understood Leadership, including Third-Party Risk Management	Our Board is responsible for cybersecurity risk. With extensive experience and training, we comprehensively analyze its impact on our operations and financial performance. We address cybersecurity quarterly and fully understand its risks to our business.	Board level oversight and governance model well-described in the 10-K. Routine cyber reports to the board (or subcommittee) at least quarterly.
Risk Management and Data Governance	We have a complete understanding of our processes and systems and how they support our material financial statements.	IT and Information Security Governance Programs Financial and Operational Models to help rate risk impact due to cyber factors. Data Lineage and Process Documentation, including systems and process inventory Risk Management documentation with risk ratings and identification of material systems Risk and Operational Models to be built into the Incident Response Plan.
Controls Mapping	Our key business risks for cybersecurity are mapping to individual controls and reviewed and updated regularly.	Formalized Key Business Risks and where Cyber overlaps Controls, Policies, Tools, or processes to map to these risks and remediate Minutes of Risk Committee Meetings
Incident Response Plan which is tested with specific material breach scenarios	Our Incident Response plan is tested with the leadership of the company on an annual basis with material breach scenarios	A third party run or internally run tabletop which tests processes for the 4 day materiality reporting. All parties and officers comprehend the urgency of the four-day timeframe and acknowledge their respective responsibilities for reporting.
Cybersecurity Policies, Standards are Communicated and Published to the Company	Our Cybersecurity controls are published, well-known, maintained, and enforced across the company.	Policies are written with strong governance to communicate, enforce, and update on a regular basis.
Annual Cybersecurity 3rd Party Assessments	Our annual cybersecurity assessments are taken seriously and risks are remediated according to our risk management policies.	Annual Cybersecurity Assessment Risk Management Policies with Risk Ratings Remediation plan and report to the Board
SecOps: formal Security Monitoring, Detection, and Response Processes	Our risk assessments, security operations, key controls are mature enough to disclose publicly.	A Cybersecurity Leader, Control and Architecture, and Formal Program Cybersecurity Operations Team and/or MSSP Controls Mapping to Risks Matrix Incident Register
Cybersecurity Awareness Training	Our company is fully trained on cybersecurity awareness, our policies, and best practices.	Cybersecurity Awareness Program.

Finally, Get Investment and Execute

If you’re like most companies, you’re probably underfunded and under resourced. Well lucky for you, some CISO somewhere made a wish and the monkey’s paw curled. Put on your business and risk management hat and put together a complete business case to get this over the line and ask for that investment and build that rapport with your board.

Consequences for not will basically be the equivalent of the Cybersecurity Program will have no clothes in addition to as well as the fines and enforcement and investor perception. Public 8-Ks following up breaches is hard enough, but getting in trouble with the SEC for compliance is a headache I don’t want to deal with.

How Can We Help?

If you are struggling to understand the regulation and requirements, need another set of eyes, or someone to come in and lead these efforts, give us a call and reach out. We’ve been in your shoes before and are glad to help. At Class IV, we’re here for you. Feel free to contact us with any questions you might have.