Organizations today are facing growing, elaborate challenges, ranging from increased regulatory scrutiny and reporting requirements to emerging threat vectors, such as generative AI and high-profile breaches.
To protect citizens, hold companies accountable, and inspire higher levels of security maturity, the SEC updated its rules, now requiring all public companies to disclose “material cybersecurity incidents.”
These updated rules mark a momentous turning point in an era of enforced prioritization of transparency, which increases liability risk for corporate leaders. And, while many companies still mistake cybersecurity as solely an IT issue in today’s heightened and ultra-sophisticated risk landscape, companies must highlight that they not only have adequate cyber knowledge at the IT level but that this knowledge transcends across the organization. For that reason, today’s security experts argue that making security a widespread value across an entire organization helps companies achieve positive business outcomes and instills resilience for future growth and success.
Security is no longer an optional perk; it is now a necessity. It has become imperative that businesses recognize that cybersecurity can have direct consequences on the long-term viability and success of an organization. Similarly, there is no room for compromise when it comes to balancing security solutions, business resiliency and achieving desired business outcomes.
The highest levels of the business need to step up the vigor of their cybersecurity posture, as well as their compliance processes. Yet, currently, only three in ten board directors rate their board’s ability to oversee a cyber crisis highly, according to survey data from the Wall Street Journal. Board members today have a responsibility to ensure that intelligent, sober guidance on cybersecurity strategy transcends all business units. In addition, they must now also be sufficiently versed in the technological aspects of cybersecurity to provide adequate oversight.
The following provides three steps boards should take to prepare their organizations for the new SEC rules:
Step 1: Uplevel baseline compliance posture to safeguard the organization for the long-term
So far in 2023, there have been more zero days than there were total in 2022. With this, patching vulnerabilities and enhancing security are major influences on both the top and the bottom line, and the negative consequences of such cyber incidents have the potential to be detrimental.
According to a survey conducted by Deloitte, 58% of respondents ranked "operational disruption" as the most significant consequence of a cyber breach. Any time lost from day-to-day business operations results in an undeniable loss of productivity and a hit to the bottom line.
To prevent those unnecessary, unanticipated losses, it is incumbent upon board members to effectively take stock of the company’s current attack surface, understand where there may be blind spots, and ensure the company has sufficient processes to assess, identify and manage material risks.
Step 2: Understand what the new rules mean for the business
From a compliance perspective, the SEC’s new disclosure rules underscore the need for cybersecurity to be seen as an investment in the company’s bottom line.
These disclosure requirements have a direct impact on a company’s ability to manage data breaches and maintain privacy. The ways companies are used to communicating cyber incidents will no longer be sufficient, which is why the new disclosure rule demands the immediate attention of the board.
Ahead of these new rules, companies will be coming up with clear cyber strategies planned and in place to begin effectively. Not only will these companies have pre-packaged strategies that identify cyber risks as they happen, but they will also mitigate them before they occur. This includes having a strong pulse and understanding of new technologies, such as AI, and the potential risks that accompany them. Unfortunately, many organizations do not have the people, processes, or technologies in place to meet the new reporting timelines.
Step 3: Embed cyber as a tenet of the company’s DNA
True success is when the entire organization is invested in maintaining proper security principles, which is why educating employees about potential risks and how they can help foster better cyber hygiene across the organization is critical.
Board members should keep these disclosure rules in mind when developing their larger company strategy to safeguard their business in the short- and long-term. That starts with embedding strong cyber principles as a core value across all business units from IT to forensics, to legal, to communications and beyond.
Conclusion
To overcome the challenges these new regulations may introduce, it is essential for board members to make cybersecurity a top-line priority in larger business discussions. Companies can actually leverage these disclosure rules as an asset to achieve sustained growth by mitigating current vulnerabilities, re-aligning processes to meet proper reporting requirements, and centering security as a shared value of the entire organization from the ground up.
Too many companies are struggling with the complexity of multiple, disintegrated vendors, underutilized tools, and security skillset shortages, and have paid the price for the resulting vulnerabilities. Businesses should rely on trusted partners who are security experts to cut through the noise, and deliver efficient, effective cyber solutions. By aligning with these requirements and looking at cybersecurity holistically, businesses will not only become more efficient, but they can also protect themselves against potential cybersecurity risks while maximizing their potential for success.
Lee Waskevich is the VP of Security Solutions at ePlus Technology, is responsible for overall strategy for the ePlus Security practice. Lee and his team design and deliver tailored cybersecurity programs aimed at mitigating business risk, fortifying digital transformation, and creating a safer environment for customers’ data and brands.
Lee’s professional experience prior to ePlus includes consulting on high-profile engagements for companies like Comcast and EvolveIP. This includes roles as Lead Network and security Architect and designing and build-out of a service provider network utilizing MPLS, VPN and managed security services. Exposure to some of the world’s leading technology for ISPs, Carrier, and customer networks early in his career paved the way for his success as a security industry strategist and leader. In recent years, Lee’s role has provided him the opportunity to consult on cyber security and wireless engagements across healthcare, financial and public sector clients.
