In direct response to an unprecedented streak of massive data breaches and security incidents, the SEC recently released a statement and guidance on public company cybersecurity disclosures. The SEC's guidance has two major focuses: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
While signals are mixed, the SEC appears to view cybersecurity policy and practice as central to protecting markets. To quote from the SEC's February statement: “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”
Prognosis
To be clear, the updated guidance is not a formal regulation, so companies may choose to review and fix policy management issues — or they may ignore it altogether. Savvy corporate information security executives will internalize that this pointed focus on cybersecurity means increased oversight is soon to follow. We see this guidance as a precursor to regulations that could grow into a regime on par with SOX.
This prediction is supported by a few key factors:
- Precedent — The New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. See also state-level notification laws and the EU’s GDPR.
- Avalanche — Financial sector breaches have tripled in five years.
- Driver — Investors are seeking risk awareness to ensure they have all the facts for prudent investments.
Most experts and market watchers are discussing the SEC guidance in terms of how public companies will and should react to it. The untold story is that the guidance is likely a precursor to increased oversight. We’ve seen it happen in other sectors with governing bodies, such as in financial services with the FFIEC.
The SEC’s renewed focus on cybersecurity and data breaches is a good news/bad news scenario for CISOs. CISOs can leverage the gravity of SEC oversight into increased visibility and authority in the boardroom, as CEOs and CFOs now have greater risk management responsibility and accountability to investors. On the other hand, CISOs also now face heightened scrutiny and greater accountability, including the potential for more significant personal penalties.
Questions and Concerns
Most public companies are already straining under the weight of regulatory burdens and have invested heavily in their cybersecurity defenses. What more can they do?
The SEC guidance can be seen as a response to, and hedge against, the negative impact of massive breaches on public trust – already at a remarkably low point. Headline-worthy breaches keep happening. The full fallout from the Equifax disaster may still be coming. Target still finds itself getting press five years after its data breach.
While public companies have less and less say over what they disclose, it is important to examine the trust issue from a strategic standpoint: What effect will more disclosures have? What will happen to companies that fail to disclose in a timely and transparent manner? The SEC has already provided one answer, in the form of a $35 million penalty against Altaba (Yahoo) for failing to disclose a massive breach in 2014.
Urging public companies to do a better job of incident response, through integrated policies, procedures, controls, and collaboration, in the event of a breach or cyber-attack is only one part of the guidance.
Another major area of focus is risk management — the SEC emphasizes that investors have a right to be notified of major risk factors, even before a negative event occurs. This means public companies, which often leverage complex global supply chains, will likely need to improve their enterprise risk management programs to gain the visibility and agility required to achieve a proactive state.
Answers and Insights
The next step is to integrate all the components — cybersecurity, data privacy, data integrity, compliance, audit, business resiliency and third-party management — merging and managing them through an integrated risk management program and solution.
These technology platforms support risk management effectiveness and policy management best practices, a core aspect of the SEC update. Organizations with solid integrated risk management programs are able to leverage their visibility into various components – vendor risk, audits, etc. -- to make IT risk management more effective and actionable.
By systematically linking policies to controls, it becomes easier to prove compliance and diligence. The linkages provide a defensible record, essential to withstanding public scrutiny and investigations. Everything can be documented, from the publication and distribution of policies to training and testing, and then investigation, corrective actions, and follow-up reports.
Moreover, policies managed through integrated risk management solutions can be created and updated efficiently in response to business or regulatory changes.
A quick scan of the SEC guidance (and most other cybersecurity directives) reveals a daunting number of details and convoluted processes that need to be addressed. That’s why automation is so vital to achieve excellence in risk management.
Streamlining workflows, centralizing documentation, freeing data from silos, and systematizing processes — all these capabilities save time and money, but they also increase visibility across the enterprise, enable collaboration, and bridge vulnerable gaps.
In the end, the issues raised by the SEC’s updated guidance are important for every organization. Cultivating corporate responsibility, sustaining consumer trust, protecting valuable data assets, and maintaining the integrity of critical ecosystems are all essential to long-term success and competitive advantage.
Digging deep to identify vulnerabilities, track improvements and outcomes, and ensure accountability will create a stronger, more resilient organization.