Both private and public companies are expected to be significantly impacted by new SEC rules requiring a “show-me-the-money” commitment to cybersecurity.
Your Cyber Defenses May Go Under a Microscope in 2024
By Joe Dysart
Businesses that have been “winging it” when it comes to cybersecurity may want to reconsider their position in 2024, when new rules for all public companies (sec.gov/corpfin/secg-cybersecurity) require tougher defenses against hackers.
That advisory also goes for many private companies, which are expected to be significantly impacted if they do business with public companies or want to do
business with public companies.
Says Gary Gensler, chair of the Security and Exchange Commission (SEC), the agency activating the new rules: “Whether a company loses a factory in a fire or
millions of files in a cybersecurity incident, it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.”
Put another way: Beginning in 2024, anyone interested in closely scrutinizing the cybersecurity plan of any public company, including investors, an everyday citizen or even an extremely curious journalist, will be able to pore over that company’s official report to the SEC to their heart’s content.
Granted, the new rules are aimed squarely at publicly traded companies. But many cybersecurity insiders also believe the crackdown will reverberate with privately held companies that are partnered with publicly traded counterparts or are hoping to become partners.
Says Agnishwar Banerjee, product marketing
manager of MetricStream (metricstream.com), an IT advisory firm specializing in cyber risk management and compliance:
“A key takeaway is that while the rules do not directly apply to private companies, by virtue of being part of the third-party ecosystem of public companies, the rules may in effect extend to them.
“Implementing a cyber-governance, risk and compliance program without factoring in the extended enterprise cannot be deemed effective
or complete in today’s interconnected business environment.”
New Reporting Requirements
The new SEC rule that will probably smart most for businesses is a requirement that forces them to report a known hack of their systems to the SEC within four days.
That’s a far cry from the way businesses have reported hacks previously: Often, victimized firms have been known to wait months before reporting a cyber-intrusion.
Still others try to skirt reporting an incident completely, hoping to avert bad press and liability.
Besides the short four-day window allowed for fessing up to a cyber break-in, other new SEC rules are designed to force companies to go into great, written detail on about their cybersecurity infrastructure.
Again, technically speaking, such reporting will only be required of publicly traded companies. But you can bet scores of computer security information officers
at publicly traded companies are going to have nice, long talks with many of their counterparts over at private companies regarding the strength of their partners’
cybersecurity.
Who could blame them? Essentially, computer security information officers’ jobs are decidedly at extreme risk with the new rules even if the original source of a break-in is with a privately held partner.
As far as the specifics in writing the SEC is mandating: The SEC now requires publicly traded companies to describe in detail the kinds of defenses they’ve developed to combat hackers, including the kind of protections they’ve developed with third-party companies.
And the SEC has also decided to put corporate boards on the hook as well, requiring companies to describe in writing the oversight role the corporate board is playing in defending against hackers.
Company management, too, is of course high up on the radar with new, “in writing” requirements. And the SEC also wants to know, in writing, if the company is working with assessors, consultants or auditors when it comes to cybersecurity planning.
Finally, the SEC wants to see—also in writing—how companies have woven their hacker defense systems into their overall risk management system.
Toughening Up Defenses
Not surprisingly, business reaction to the new SEC rules, which technically first went live in mid-December 2023 only for companies that run on calendar, year-end fiscal reporting, has been swift and decisive. An October Deloitte & Touche poll (www2.deloitte.com), for example, found that 65% of public company executives have already made plans to toughen their defenses against hackers.
Plus, more than half of executives surveyed vowed they would push third-party partners, including private companies, to beef up their cyber-defenses as well.
Says Daniel Soo, a principal at Deloitte & Touche: “Whether organizations are publicly traded or do business with public companies, clear communication from top leadership about cyber-risk management expectations can help mitigate security risks within organizations themselves.
“Increasingly, more executives understand cybersecurity is not just a CISO’s responsibility but a multifaceted business risk that demands many groups work together.”
New regs aside, as most businesses with cybersecurity defenses already know, a good cybersecurity plan also just makes good business sense.
That’s especially true given the never-ending cat-and-mouse game hackers insist on playing with businesses, year after year.
A new survey from CompTIA (comptia.org), a training and certification organization for the computing industry, for example, finds that businesses are still plagued by many of the usual suspects when it comes to cyber harassment.
In particular, malware remains a top concern at these organizations, with 40% of survey respondents identifying the malware scourge as a core focus of their defenses.
Another 33% pointed to ransomware attacks as critical, followed in priority by the hacking of firmware (31%), internet-of-things attacks (31%) and attacks on computer hardware (31%).
Of course, our old friend, phishing (30%)—through which hackers attempt to penetrate business computer networks using stolen passwords, IDs, malicious links and similar—was also high up on respondents hit-list, with 30% of respondents saying it’s a top priority.
Says Seth Robinson, vice president of industry research, CompTIA: “Businesses have begun to consider cybersecurity as a critical function. Excessive cybersecurity measures can hinder overall progress. But if measures are too relaxed, it can lead to serious incidents, resulting in potentially greater negative impacts. This balancing act is a full-time job. With technology trends evolving and attack patterns changing, true equilibrium may be impossible to achieve.”
Adds Matt Gorham, a cyber and privacy innovation leader at PricewaterhouseCoopers: “Surprisingly, there are still many companies who struggle with the basics. There is no shame and no consequence in revisiting the fundamentals of your cybersecurity risk management program.”
SOME TRUSTED RESOURCES
Fortunately, a number highly respected cybersecurity think tanks and organizations have
recently come out with detailed studies and advisories on how to handle the cyber-security threat landscape in 2024.
Together, these reports should enable your business to be a step quicker when it comes to
outfoxing the ever-persistent ne’er-do-wells.
Here’s where to scoop up a representative sampling of these reports for free:
• Google Cloud Cybersecurity Forecast 2024
cloud.google.com/resources/security/cybersecurity-forecast
• Comptia State of Cybersecurity 2024
comptia.org/content/research/cybersecurity-trends-research
• PWC Global Digital Trust Insights 2024
pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-
insights.html
• A Year in Review: A Look at 2023’s Cyber Trends and What’s to Come:
akamai.com/our-thinking/the-state-of-the-internet
