With cyberattacks taking center stage in news reporting, the U.S. government recognized the need to take action to ensure private companies and public entities protect the data of its citizens. Voluntary measures taken by companies in the past have not proven sufficient or consistent. Therefore, the U.S. Securities and Exchange Commission (SEC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have stepped in and introduced new cybersecurity rules. These two federal agencies take differing approaches to the requirements for organizations to secure private and public data. Let’s dive into both the SEC Cybersecurity Rule and the CISA Directive and see how they can be integrated into an organization’s data security strategy.
The SEC Cybersecurity Rule is a set of regulations that govern the security and privacy of customer information held by SEC-regulated financial institutions. Under the rule, these entities are required to have written policies and procedures in place to safeguard customer information, including protections against unauthorized access or use of that information. They must also provide customers with notices explaining their privacy policies and provide an opt-out mechanism for customers who do not want their non-public personal information shared with third parties. The SEC Cybersecurity Rule has been updated over the years to reflect the changing cybersecurity landscape and evolving threats and make it easier to evaluate public companies' cybersecurity practices and incident reporting.
The recent SEC cybersecurity proposed rules place a greater focus on disclosure before and after a cyber-event. Companies are required to disclose whether there is cybersecurity expertise on the company’s board of directors; which members of the board oversee cybersecurity risks and that process; policies for identifying and managing cyber threats, and how Management will implement these policies. The SEC cybersecurity disclosure requirements also require companies to disclose a material cybersecurity incident within four business days of occurrence.
The CISA Directive takes a more proactive approach by providing federal agencies with guidance and requirements for improving their cybersecurity posture. The directive outlines a set of specific actions that federal agencies must take to enhance their cybersecurity defenses, including vulnerability assessments, patching critical vulnerabilities, and implementing multi-factor authentication for privileged accounts.
The CISA guidelines also establish requirements for incident response planning, threat hunting, and security operations center (SOC) capabilities. The directive is intended to help federal agencies be proactive about identifying and mitigating potential cyber threats before they can cause significant harm to federal systems and data. Federal agencies are required to comply with the CISA rules and report their progress to CISA on a regular basis. Timelines for incident reporting are tight as well, but, unlike the new SEC Cybersecurity Rule, CISA reporting would anonymize any details on cyberattacks before any public disclosure.
Information sharing is critical in the cybersecurity space, and the proposed rules demand increased disclosure and transparency for both public companies and federal agencies as a means of protecting the US from cyberattacks. Data about the latest malicious tactics can inform a defense strategy, and that information also helps government agencies decide how to respond. The sooner a vulnerability is disclosed, the sooner other related companies and agencies can react to mitigate the threat. These rules also strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting, making companies that follow these rules even more attractive to the market.
While the government has a significant role to play in achieving these outcomes, the strategy indicates that the private sector is expected to step up to address their own technological vulnerabilities. However, the tight timeframes and necessary evidence make it difficult for many companies to meet the requirements of the laws without adding staff or outsourcing the work. For example, four days may not be enough time to evaluate the threat and determine what information needs to be disclosed. And even if an organization can meet the deadline, publicly disclosing vulnerabilities before those gaps are plugged can exacerbate the risk. Organizations are justifiably nervous about making important decisions under pressure.
Government agencies must find a balance. One where information about an incident can be shared quickly to enable the SEC and CISA to protect the cyber ecosystem, but without companies experiencing the fear of a backlash by publicly disclosing too much information too early.
Rather than wait for the regulations to become finalized, organizations can already take steps to prepare for these changes by creating a cybersecurity strategy that meets both the SEC Cybersecurity Rule and CISA Directive approaches. Here are some suggestions:
Organizations should perform a comprehensive risk assessment to identify potential cybersecurity threats and vulnerabilities, understand the financial impact of this risk, and develop strategies to mitigate those risks. This can help organizations to prioritize their cybersecurity efforts, calculate the ROI against the costs of addressing the risks, and allocate resources effectively.
Organizations should develop and implement a comprehensive cybersecurity program that consists of the following:
The program must also include a clear disclosure process, policies to address incidents, and procedures to meet the four-day disclosure timeframe as set by the SEC and CISA rules.
As the new laws specify board member obligations, organizations should look for board members with experience in incident management and security. People in the know are better placed to guide the company as it navigates the cybersecurity minefield, and can also help boost buy-in from Management.
Organizations should train their staff on cybersecurity best practices and how to identify and respond to potential cyber threats. This includes incident management and their responsibilities when it comes to disclosures under the SEC Cybersecurity Rule and the CISA Directive.
Organizations should work closely with their third-party vendors to ensure they comply with the SEC Cybersecurity Rule and the CISA Directive, as well as other regulations set forth by the White House Memo and the NIST Guidance. Supply chain security must be taken seriously. This can include reviewing vendor contracts and requiring vendors to provide regular reports on their cybersecurity practices and controls.
Overall, organizations should take a proactive approach to cybersecurity and prioritize their efforts to protect against potential threats. By developing a comprehensive cybersecurity program and implementing best practices, organizations can minimize risk and ensure Compliance with the SEC Cybersecurity Rule and the CISA Directive.
Guidance on cyber oversight and disclosure is available – or becoming available – from the SEC for public companies and CISA for federal agencies. While many of the new rules are still in the proposal stages, all organizations can undoubtedly expect to take on more accountability around data security in the near future. This may even represent the start of additional requirements for publicly traded companies as it relates to the current rules for SOC2 and ISO27001.
Organizations must begin to prepare to comply with more stringent cybersecurity requirements. They should consider their disclosure policies in preparation for the worst-case scenarios while, at the same time, proactively strengthening their risk strategies and policies. The easiest way to achieve this? Through data and automation.
Organizations can leverage data and automation to address numerous security Compliance needs, including risk and policy management. Taking a proactive approach to finding cybersecurity gaps demonstrates the prioritization of cybersecurity as a strategic function and ultimately builds stakeholder trust. Importantly, it also mitigates the need for incident management and disclosures under the SEC Cybersecurity Rule and the CISA Directive.
Want to learn more about how to implement data and automation into your cybersecurity strategy? Want to handle the SEC Cybersecurity Rule and CISA Directive with confidence? Check out anecdotes. Pioneers in Compliance automation solutions, we know the power of evidence-based data and how to use it to conquer any Compliance challenge like a pro.