The U.S. Securities and Exchange Commission (SEC) is sending strong signals it wants to see boards and C-level executives pay closer attention to cyber risk at publicly traded companies. The SEC’s compliance inspections office started off 2020 by reaffirming “cyber and information security” risk as a top examination priority. Since then, four of their ten announcements have focused heavily on
cyber security—
- a guide to cyber risk best practices;
- a threat alert on ransomware attacks;
- a threat alert on credential stuffing attacks; and
- a section on cyber risks in its threat alert on COVID-19 compliance risks for brokers and advisers.
What does the SEC want from cyber risk disclosure?
Broadly, the SEC wants publicly traded companies to disclose cyber risks so investors can make informed decisions about their holdings and positions.
To get there, the SEC’s 2018 cyber risk disclosure guidance essentially took the position that there are only two types of publicly traded companies: those that have been breached, and those that don’t know it yet: “…it is critical that public companies take all the required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but not yet have been the target of a cyberattack.”
The 2018 guidance also made company executives and board members accountable for understanding cyber risk. Companies must disclose the board’s role in risk oversight at the company, and for material cyber security risks, that “should include the nature of the board’s role in overseeing the management of that risk.”
What cyber security compliance practices are recommended?
The January 2020 best practices guide from the SEC’s compliance inspections office identifies eight categories of best practices. While the SEC acknowledges there is no one-size-fits-all approach, CISOs should probably review their organization’s practices and procedures against these. For example:
Governance
This best practice category is about senior leaders’ commitment to improving organizational cyber posture by “working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.” Governance includes:
- Senior level engagement from the board and other leaders to set strategy and oversee cybersecurity and resilience programs;
- Risk assessment processes documented in policies and procedures to identify, manage and mitigate cyber risks to the business;
- Testing and monitoring on a “regular and frequent basis” to validate risk process and policy effectiveness;
- Continuously evaluating and adapting to changes revealed by testing and monitoring results—i.e. updating policies and procedures to address gaps and weaknesses, “and involving board and senior leadership appropriately”; and
- Communication policies and procedures “to provide timely information to decision makers, customers, employees, other market participants, and regulators as appropriate.”
For the SEC’s seven other best practices, see the SEC’s guide here: “Observations on Cybersecurity and Resiliency Practices.”
CISOs need a 360-degree view of cyber risk
To comply with the SEC guidance, companies must be positioned to:
- Constantly understand their risk profile; and
- Communicate changes to that profile consistently.
Therefore CISOs of those companies need to have an ongoing 360-degree view of their company’s security posture including preventative measures, vulnerabilities and associated risks.
Learn how Verizon’s cyber risk monitoring can help you with tools and reports to better understand your risk profile.
David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.