The SEC's New Cybersecurity Regulations: Implications and Opportunities for Startups

One of the most prominent topics in the cybersecurity world in the past few weeks is the new rules adopted by the Securities and Exchange Commission to guide cybersecurity risk management for public companies. The rules revolve around disclosures of cybersecurity processes and incidents, with the following information required:

• When the incident was discovered and whether it is ongoing;

• A brief description of the nature and scope of the incident;
• Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident.

These rules portray a growing recognition of cybersecurity as a critical business component. Thus, the principal lesson, for all organizations, and particularly startups (whether public or private) is that leaders must take a new approach to cybersecurity governance.

This article discusses some of the major implications of the latest set of regulations, as well as how companies can ensure compliance even while enhancing their internal cybersecurity processes.

Board and Management Involvement in Cybersecurity

Before now, forward-thinking business leaders have recognized cybersecurity as a critical business component and have proactively gotten themselves involved in the risk management process instead of leaving it up to the IT team as it was traditionally done.

The past few years have also seen an increase in Chief Information Security Officer roles, which underscores the importance of cybersecurity to organizations today.

Source: Gartner

Now, the SEC has officially mandated the involvement of the board of directors and members of the management in maintaining oversight of risks from cybersecurity threats.

Part of what organizations must now disclose is how this oversight works as well as the reporting processes put in place to keep the directors in the loop about cybersecurity incidents.

Speedy Assessment of Cybersecurity Incidents

The ultimate goal of the SEC’s new rules is to get public companies to demonstrate a strong commitment to managing cybersecurity risks in their organization. This includes speedily assessing cybersecurity incidents to mitigate their impact.

For one, registrants are required to file a Form 8-K within four business days from when the registrant determines that a material cybersecurity incident has occurred. The materiality of an incident might not be immediately determined but the SEC mandates that such a decision must be made without unreasonable delay.

In short, organizations must now move swiftly in assessing cybersecurity incidents, taking into cognizance every relevant factor and ascertaining which of their digital assets or their customers’ assets have been affected.

Source: NIST

Continuous Risk Management Strategy

Besides the mandatory reporting of cybersecurity incidents, the SEC has also directed organizations to periodically disclose their cyber risk detection and management processes.

This forces companies to adopt a proactive risk management approach where the guards are continually up, instead of plugging breaches with temporary fixes.

Also, due to the highly dynamic nature of contemporary business environments, continuous risk management enables organizations to enhance their overall resilience and agility, thus developing the capacity to respond more quickly and effectively to emerging risks.

Such a strategy is, in fact, a competitive advantage in a world beset with so many increasingly sophisticated cybersecurity challenges.

Effective Cybersecurity Documentation

If the SEC’s new rules were to be summarised into a single point, perhaps it would be this. Organizations are required to create written records of everything related to cybersecurity.

This means there must be documentation of their risk management efforts, observed incidents, oversight processes, and so on. From a legal angle, this has a practical implication for demonstrating to the SEC as well as shareholders that an organization is managing its cybersecurity risks effectively.

Depending on whether it is done properly or otherwise, it could also serve as evidence for or against a company if it ever gets into a legal battle over cybersecurity in court.

Without comprehensive, up-to-date, and consistent documentation, an organization will find it incredibly hard, if not impossible, to prove that it has maintained high cybersecurity standards.

Global Implications for Companies Located Abroad

One interesting implication of the SEC’s new rules applies to companies operating abroad, as long as they are registered in the US and appear on the stock exchange market.

This includes companies headquartered abroad but with operations in the United States, as well as companies headquartered here but with branches and subsidiaries in other countries.

Even though other countries may not have such a stringent cyber stance, they are required to follow the new rules and enhance their cybersecurity infrastructure. This is highly important because the world is now globalized and information exchange across borders is not seamless.

In the case of companies with global operations, incidents committed abroad could easily affect their US customers. So, it’s important for multinationals to ensure cybersecurity compliance across their organization and all subsidiaries. After all, a company’s cybersecurity is only as strong as its weakest link.

Challenges:

All is not perfect yet, though; the new regulations have elicited several questions and issues concerning how companies can ensure compliance. These are some of the major challenges that companies might face:

• One issue that the new rules do not clarify but which is prominent is the question of how to define a material incident or what constitutes materiality once a cybersecurity incident has occurred. Companies have little guidance to follow when determining which incidents to report.
• Given the level of disclosure required, leaders are worried about disclosing incidents without tipping off attackers. Surely, this is another dimension that cyber attackers will be exploring in advancing their threats.
• Companies need to ensure that third-party entities including partners, suppliers, and vendors adhere to the same stringent cybersecurity standards even if those entities are not SEC registrants. Given the spat of third-party breaches these days, this is understandable.

Source: Help Net

Conclusion

The ultimate goal of the SEC’s new rules is to promote accountability regarding cybersecurity. As a startup, even if your company is not yet public, the rules contain insights that you can adopt in developing proactive strategies for combating cybersecurity threats in your organization.

For instance, you can start by implementing extensive and effective documentation of cybersecurity processes and incidents, upgrading cybersecurity to a board-level concern with strict top-down oversight, and implementing a continuous risk management approach