Andrew Casey, CFO, Lacework
In response to the rise in both frequency and complexity of cyber attacks, the U.S. Securities and Exchange Commission (SEC) has taken a definitive stance: public companies are now required to disclose material cybersecurity incidents. This decision marks an official recognition of the intensifying cyber threat landscape businesses are facing today.
The rules require companies to outline the nature, scope, timing, and potential impact of the incidents within four days of determining those events to be material. While these new directives are a step in the right direction toward greater transparency and accountability, the ambiguous standards and scope of the required cybersecurity efforts also introduce challenges for boards and business leaders, particularly around the specifics and timings of their disclosures.
Why disclosing breaches is a daunting task
The notion of disclosing cybersecurity breaches that are material is daunting for many companies. Not only do company leaders and boards bear the responsibility of determining what constitutes “material,” but they also need to understand the extent and basis under which a cybersecurity breach impact is measured. Once incidents are identified, they face a tight four-day window to make the disclosure.
This leaves much room for error, especially when a board lacks the expertise and technology needed to identify the detailed attack path that an attacker could take. They may not fully understand the impact of that breach within the four-day disclosure period because they are not able to anticipate the attacker’s next move.
Prioritize cybersecurity expertise
The value of cybersecurity expertise on corporate boards remains undeniably high as board members are increasingly expected to understand if and how companies are effectively implementing cybersecurity programs. The new guidelines specifically point out the board's role in overseeing cybersecurity risk management processes, which must be detailed in annual reports. This requires a deeper understanding of cybersecurity risk, posture, threat detection and real-time monitoring of assets, workloads, applications, and individuals.
Invest in the right security platforms
Given the rapid movement of infrastructure, applications, and workloads to public cloud, effective cybersecurity programs must demonstrate a clear understanding of their company’s posture. Companies must invest in platforms that swiftly address threats and provide actionable insights. An in-depth understanding of the company’s cloud infrastructure is vital, from servers and databases to user behaviors. Essential features in security tools include Cloud Security Posture Management (CSPM), workload monitoring, and behavioral anomaly detection. The best platforms leverage AI and machine learning for data analysis, pattern detection, and tailored risk advice.
Determine which incidents to report
With the optimal security technologies and processes in place, boards are better positioned to obtain the information and data they need to decide which incidents to disclose publicly. Boards should consider the following questions:
- What's the scope of the breach?
- How many records were affected?
- Was any customer data or personally identifiable information/protected health information involved? Breaches involving sensitive data carry significant legal and reputational implications.
- How pervasive was the breach within the environment? A breach spreading across multiple systems or departments may indicate a larger security flaw.
- Was it a third-party breach? These kinds of breaches can complicate the response process, often requiring collaboration across organizations.
- Has the incident been contained? Only those incidents that have been fully and legally contained should be publicly disclosed.
When in doubt, the most important factor to consider is sensitive information. "If it impacts personal data or sensitive data of a customer, it's considered material," Tim Chase, our Global Field CISO at Lacework, said.
Use the SEC guidelines to your advantage
The landscape as outlined by these new SEC rules may seem challenging, but it presents an opportunity for executive teams to reassess and improve their cybersecurity strategies. It's about strengthening cybersecurity practices and reassuring stakeholders of their safety and trust. Our goal remains to secure our customers' data, and these new guidelines mark a significant step toward achieving that objective. For more information on how to comply with the SEC cybersecurity guidelines, read this solution brief from Lacework.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
Other Topics
Board and Leadership Policy & Regulation Cybersecurity
Lacework
Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. The Lacework Polygraph® Data Platform learns and understands behaviors that introduce risk across your entire cloud environment, so you can innovate with speed and safety. With visibility from code to cloud and automated insights into unusual activity, threats, vulnerabilities, and misconfigurations, you gain the context to prioritize and act faster.
Read Lacework's Bio