Companies ‘Ill-Prepared’ to Meet Newly Adopted SEC Cybersecurity Rules
The "prevailing norm" in corporate America is "governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground," said Scott Kannry, CEO of the cyber-risk engineering firm Axio.
The U.S. Securities and Exchange Commission (SEC) on Wednesday finally adopted stringent new cybersecurity disclosure rules for public companies, 16 months after the agency proposed them.
That lag gave companies an abundance of lead time to prepare for the requirement that has the cybersecurity community most worried: a mandate that companies publicly disclose a breach within four days after determining that it was material.
Still, experts say, companies are a long way from being ready.
“This ruling is a great step towards achieving accountability, to protect the consumers and the investor community,” said George Gerchow, chief security officer of the data-security company Sumo Logic and a faculty member at the Institute for Applied Network Security. “The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact in four days.”
To be able to meet the disclosure mandate, CEOs and boards will need to be more proactive, gaining a much stronger grasp of cybersecurity risks and establishing the same oversight and governance they do for other major risks to their organization, said Scott Kannry, CEO of Axio, a cyber-risk engineering firm.
Company security leaders also must quickly model the potential impact of new and evolving cyberthreats so that they can more effectively determine whether mitigating actions are appropriate, he said. “All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground,” Kannry said.
The new rules also mandate that companies annually disclose their cybersecurity risk-assessment strategy, disclose the cybersecurity expertise of management, and provide updates on previously disclosed cybersecurity events.
The rules are aimed at benefiting investors but also will help sharpen management at the companies, SEC Chair Gary Gensler said Wednesday. “Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors,” Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Companies need to be ready to meet the new requirements in a few months. They’ll have to disclose material breaches within four days starting in mid-December, and firms with the traditional December 31 fiscal year will need to explain their cyber risk assessment strategy and detail the cyber expertise of management in filings they submit to the SEC early next year.
The SEC hasn’t yet disclosed what the penalties will be for noncompliance.
The new rules passed on a 3-2 vote, with Democrats voting for and Republicans against. Hester Peirce, a Trump appointee, said the SEC is overstepping its authority and displaying a tendency to “micromanage” company operations.
She also said that providing so much transparency around cybersecurity practices plays into the hands of cybercriminals, handing them a road map with which to target companies and how to attack them.
See also:
- Companies Fear SEC’s Cybersecurity Disclosure Rules Could Play into the Hands of Criminals
- SEC’s Increased and Expanding Focus on Cybersecurity Disclosures
- SEC Weighs New Timeline for Disclosing Cybersecurity Incidents
- How Cyber and D&O Insurance Can Mitigate Risk from a Cyberattack
From: BenefitsPRO