The Securities and Exchange Commission (SEC) has released new cybersecurity rules that require public companies to disclose details of material incidents, as well as details of cybersecurity risk management, strategy, and governance. This represents a significant evolution in the regulatory landscape, as it demands proactive measures and strategic planning from organizations. Cybersecurity is no longer simply a compliance checkbox, but an imperative that affects the entire organization.:
- SEC’s new cybersecurity rules require public companies to disclose details of material incidents and the company’s cybersecurity risk management, strategy, and governance.
- Cybersecurity is no longer just about compliance but an imperative.
The new SEC cybersecurity requirements extend beyond the control environment over financial reporting and impact every facet of an organization. The regulations demand an enterprise-wide cybersecurity program, which requires companies to take a proactive approach to addressing cyber threats. Compliance with the rules will require organizations to make organizational changes, develop a standard contextual understanding of cybersecurity, and build a culture of shared responsibility for cybersecurity. Key steps to meet the requirements include:
- Inventorying assets in the environment to ensure a complete understanding and management of assets.
- Using a single framework of controls to encompass relevant requirements in a unified control structure.
- Applying the control framework in a risk-based manner that aligns with the organization’s unique priorities.
- Monitoring the effectiveness of controls and developing a compliance approach.
- Using cloud-based services and microsegmentation to enhance risk-based security.
By following these steps, organizations can meet the SEC’s cybersecurity requirements and build a robust cybersecurity foundation that safeguards operations, data, and reputation. In a rapidly evolving digital landscape, these actions are crucial for long-term resilience against cyber threats.