The newly expanded SEC Rule 17 covering Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect on December 15, 2023. The rules require public companies to disclose the policies and procedures, if any, for the identification and management of cybersecurity threats, including operational risk (i.e., disruption of business operations), intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other legal and reputational risk. The rules also require companies to disclose material cybersecurity incidents within 4 days on a Form 8-K.
To help maintain compliance with these rules, CISOs and other executive stakeholders should answer these four critical questions:
1. What Are the “Crown Jewels,” or Assets Our Business Functions Rely on?
Crown jewels are the assets that run critical operations and ensure functionality of the business. Compromise of these critical assets and their networks could have severe safety, financial and/or reputational consequences for the business. Identifying these assets is an essential first step in any effective risk management strategy.
CISOs should work closely with department heads and executives to pinpoint these key infrastructure components and how they might be impacted by a cyber incident. To do this well, a thorough inventory of all IT, OT and IoT devices across the business will be essential. Once identified, these assets should be ranked by priority in terms of risk mitigation measures and incident response planning.
2. What Does Materiality Mean?
Materiality is a central concept in the SEC Cybersecurity Rules, and it's not just about financial impact. The definition of materiality can vary from one organization to another, depending on the nature of their operations. For some businesses that operate critical infrastructure, it might include impacts to health and safety, environmental concerns, or even regional and national economies.
CISOs should work closely with their CFO, legal team, and other executive stakeholders to establish clear definitions of materiality that align with the organization's objectives and values. This will set the stage for identifying what cyber incidents warrant SEC disclosure and ensure a consistent understanding of materiality across the organization.
3. How Can We Reduce Our Mean Time To Recover (MTTR)?
Time is of the essence in the world of cybersecurity, making all the difference between a remediated event and a disrupting incident. The SEC Cybersecurity Rules require organizations to disclose cybersecurity incidents they deem to be material within four days. Four days is the timeline from the determination that the incident is “material.” CISOs need to also determine exactly how long it takes their organization to detect, investigate, and disclose an incident.
To answer this question effectively, CISOs should conduct a comprehensive assessment of their asset inventory, cybersecurity solutions and reporting capabilities, and incident response processes. These reviews should include IT and OT stakeholders, as well as legal and compliance teams to streamline these processes and reduce response times. This not only ensures compliance with the new rule, but also minimizes the potential fallout from a cyber incident.
4. Are Our Incident Response Plans Ready for Primetime?
Recovery time objectives (RTOs) are essential in cybersecurity and play a significant role in determining the impact of an incident. Organizations need to define how long they can afford to experience operational degradation from specific functions of their business before considering an incident material. These objectives should be aligned with the organization's overall risk tolerance and business continuity goals.
CISOs should collaborate with their executive stakeholders to establish clear and achievable RTOs. This may involve enhancing cybersecurity measures, investing in redundancy, revising incident response plans, and conducting exercises to test those plans. Defining RTOs ensures that the organization can respond effectively to minimize the impact of a cyber incident.
Conclusion
With the new SEC Cybersecurity Rules now in effect, CISOs have their work cutout for them. The identification of crown jewels, materiality, mean time to recover, and incident response plans are all vital aspects of cybersecurity and risk management which will not only facilitate compliance, but also protect the organization's digital assets and reputation.
Embracing these rules is an opportunity to reframe cyber risk management discussions in the boardroom. Take initiative today to collaborate with other executives and leaders across your organization to face the evolving threat and regulatory landscape.
The information provided in this post does not, and is not intended to, constitute legal advice and should be used for general informational purposes only.