CISOs Can Use New SEC Cyber Rules to Their Advantage

By neub9
3 Min Read

SEC’s new cybersecurity disclosure rules are a game-changer and will impose greater compliance requirements on companies. However, Jose Seara, CEO of DeNexus, sees the new rules as an opportunity for innovative CISOs.

Editor’s note: Jose Seara is CEO of DeNexus, a provider of cyber risk quantification and management technology.

The SEC’s new cybersecurity guidelines, which came into effect in December, signify a significant transformation for public companies. They are now required to disclose material cyber incidents within four days of discovery and provide details about their risk management, strategy, and governance policies.

In addition to these changes, the new rules have sparked discussions about the necessity for cyber risk quantification and management in the face of increased risks and concerns about the adequacy of the given timeframe to confirm breaches and understand their impact.

Noncompliance carries significant repercussions for chief information security officers (CISOs) and security teams, as the SEC has shown a willingness to take aggressive action against organizations and individuals.

To ensure compliance with these strict regulations, organizations must have a robust security infrastructure in place to mitigate risks and continuously monitor their cyber risk and potential financial impact, enabling them to satisfy the new disclosure rules.

Challenges for CISOs

Recent events, such as the case against SolarWinds CISO Timothy Brown, highlight the repercussions of noncompliance with SEC mandates. Brown is facing allegations of fraud and internal control failures, emphasizing the criticality of compliance.

Failure to meet SEC guidelines may result in prosecution by federal or state governments and civil liability from investor lawsuits. CISOs should view the new mandate as an opportunity to reinforce the business case for cybersecurity and risk mitigation, utilizing the new requirements to enhance projects and processes that contribute to proactive management of cyber exposures.

Companies that proactively review their cybersecurity and cyber risk management programs will not only comply more easily with the new regulations but also immediately strengthen their cyber resilience.

Translating Cyber Risk

To prevent extensive damage from cyber breaches, the conversation about potential cyber risk needs to involve more than just CISOs. C-suite executives must be included to ensure organizational leaders fully understand the implications of these risks beyond immediate security concerns.

C-suite leaders other than CISOs should be encouraged to participate in risk mitigation efforts. Effective communication and a common language among CISOs, chief financial officers, and boards are essential to ensure all business leaders understand the magnitude and scope of security-related noncompliance.

Translating cyber threats into tangible implications and consequences that key stakeholders can understand without a security background is crucial. This approach appeals to the knowledge and priorities of other business leaders and board members, ensuring a shared understanding of the potential damage associated with security incidents and noncompliance.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *