[BreachExchange] SEC Cybersecurity Update May Lead to Increased Oversight

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/sec-
update-increased-oversight/

In direct response to an unprecedented streak of massive data breaches and
security incidents, the SEC recently released a statement and guidance on
public company cybersecurity disclosures. The SEC's guidance has two major
focuses: the importance of cybersecurity policies and procedures and the
application of insider trading prohibitions in the cybersecurity context.

While signals are mixed, the SEC appears to view cybersecurity policy and
practice as central to protecting markets. To quote from the SEC's February
statement: “Today, the importance of data management and technology to
business is analogous to the importance of electricity and other forms of
power in the past century.”

Prognosis
To be clear, the updated guidance is not a formal regulation, so companies
may choose to review and fix policy management issues — or they may ignore
it altogether. Savvy corporate information security executives will
internalize that this pointed focus on cybersecurity means increased
oversight is soon to follow. We see this guidance as a precursor to
regulations that could grow into a regime on par with SOX.

This prediction is supported by a few key factors:

Precedent — The New York State Department of Financial Services, 23 NYCRR
500,Cybersecurity Requirements for Financial Services Companies. See also
state-level notification laws and the EU’s GDPR.
Avalanche — Financial sector breaches have tripled in five years.
Driver — Investors are seeking risk awareness to ensure they have all the
facts for prudent investments.

Most experts and market watchers are discussing the SEC guidance in terms
of how public companies will and should react to it. The untold story is
that the guidance is likely a precursor to increased oversight. We’ve seen
it happen in other sectors with governing bodies, such as in financial
services with the FFIEC.

The SEC’s renewed focus on cybersecurity and data breaches is a good
news/bad news scenario for CISOs. CISOs can leverage the gravity of SEC
oversight into increased visibility and authority in the boardroom, as CEOs
and CFOs now have greater risk management responsibility and accountability
to investors. On the other hand, CISOs also now face heightened scrutiny
and greater accountability, including the potential for more significant
personal penalties.

Questions and Concerns
Most public companies are already straining under the weight of regulatory
burdens and have invested heavily in their cybersecurity defenses. What
more can they do?

The SEC guidance can be seen as a response to, and hedge against, the
negative impact of massive breaches on public trust – already at a
remarkably low point. Headline-worthy breaches keep happening. The full
fallout from the Equifax disaster may still be coming. Target still finds
itself getting press five years after its data breach.

While public companies have less and less say over what they disclose, it
is important to examine the trust issue from a strategic standpoint: What
effect will more disclosures have? What will happen to companies that fail
to disclose in a timely and transparent manner? The SEC has already
provided one answer, in the form of a $35 million penalty against Altaba
(Yahoo) for failing to disclose a massive breach in 2014.

Urging public companies to do a better job of incident response, through
integrated policies, procedures, controls, and collaboration, in the event
of a breach or cyber-attack is only one part of the guidance.

Another major area of focus is risk management — the SEC emphasizes that
investors have a right to be notified of major risk factors, even before a
negative event occurs. This means public companies, which often leverage
complex global supply chains, will likely need to improve their enterprise
risk management programs to gain the visibility and agility required to
achieve a proactive state.

Answers and Insights
The next step is to integrate all the components — cybersecurity, data
privacy, data integrity, compliance, audit, business resiliency and
third-party management — merging and managing them through an integrated
risk management program and solution.

These technology platforms support risk management effectiveness and policy
management best practices, a core aspect of the SEC update. Organizations
with solid integrated risk management programs are able to leverage their
visibility into various components – vendor risk, audits, etc. -- to make
IT risk management more effective and actionable.

By systematically linking policies to controls, it becomes easier to prove
compliance and diligence. The linkages provide a defensible record,
essential to withstanding public scrutiny and investigations. Everything
can be documented, from the publication and distribution of policies to
training and testing, and then investigation, corrective actions, and
follow-up reports.

Moreover, policies managed through integrated risk management solutions can
be created and updated efficiently in response to business or regulatory
changes.

A quick scan of the SEC guidance (and most other cybersecurity directives)
reveals a daunting number of details and convoluted processes that need to
be addressed. That’s why automation is so vital to achieve excellence in
risk management.

Streamlining workflows, centralizing documentation, freeing data from
silos, and systematizing processes — all these capabilities save time and
money, but they also increase visibility across the enterprise, enable
collaboration, and bridge vulnerable gaps.

In the end, the issues raised by the SEC’s updated guidance are important
for every organization. Cultivating corporate responsibility, sustaining
consumer trust, protecting valuable data assets, and maintaining the
integrity of critical ecosystems are all essential to long-term success and
competitive advantage.

Digging deep to identify vulnerabilities, track improvements and outcomes,
and ensure accountability will create a stronger, more resilient
organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180711/44c448cc/attachment.html>