In 2023, the Securities and Exchange Commission (SEC) implemented new cybersecurity disclosure rules. These regulations require annual reporting on cybersecurity risk management, strategy, and governance, as well as the disclosure of “significant” threats and breach incidents within four days of their occurrence.
The introduction of new SEC cybersecurity requirements represents an important milestone in the ongoing fight against cyber threats. In 2023, Chief Information Security Officers (CISOs) revealed that three out of four U.S. companies were vulnerable to significant cyberattacks. As a result, cybercrime remains one of the biggest risks facing U.S.-based businesses. Additionally, in the same year, nearly 7 out of 10 organizations in the United States experienced a ransomware attack within the past 12 months.
Cyberattacks pose significant risks to businesses, primarily in terms of financial damage. In 2024, losses due to cybercrime are predicted to exceed $452 billion in the United States alone. Moreover, the loss of sensitive data occurs as a result of cyber-attacks. In 2023, the United States ranked third in the world for the percentage of companies reporting the loss of sensitive information.
Additionally, data breach incidents affected approximately 422 million people in the country in 2022, with a total of 1,802 incidents. The United States is known as one of the countries with the highest density of data breaches. Beyond the financial and data loss implications, businesses are also wary of reputational damage, significant downtime, and the potential loss of current customers, all of which can impact a company's reputation and overall standing. There is a gender.
heightened awareness
A recent report from Infatica, a provider in the proxy services market, shows that companies are beefing up their defenses with growing risks and new SEC rules in mind. According to the company's data, demand for proxy service searches has increased by 106,5% compared to last year. The reason behind this trend lies in the ability of proxies to mimic cybersecurity attacks. Therefore, by using this technology, companies can test their defenses.
The growing interest in proxy servers is not just about strengthening security measures. Searches for “free web proxy server” increased by 5,042.9%, indicating that accessible solutions that provide anonymity are being widely pursued. Meanwhile, demand for “proxy server list” and “anonymous proxy server” also increased significantly by 80.6% and 414.3%, respectively, highlighting the importance of reliable and prudent online operations.
Although the SEC's cybersecurity rules primarily target publicly traded companies, many of these companies rely on smaller third-party software and supply chain providers. A cyberattack at any branch in this chain can have serious consequences. For this reason, non-public institutions also need to strengthen their defenses.
big gap
As companies ramp up their activities, it is clear that significant gaps still exist. A surprising 81% of security leaders recognize the impact the new rules will have on their business. However, only 54% of companies said they were confident in their organization's ability to effectively comply. Surprisingly, only 2% of security leaders have started the process of complying with the new rules. While around 33% are still in the early stages, a staggering 68% feel overwhelmed by the new disclosure requirements.
Among the myriad challenges, determining the severity of a cybersecurity incident stands out, with 49% of respondents highlighting its complexity. Additionally, 47% are struggling to strengthen their disclosure processes, further complicating compliance efforts.
Here is some advice on how to prepare to comply with SEC cybersecurity rules.
1. Integrate cybersecurity risk data
With new regulations requiring incident discovery disclosure and comprehensive quarterly and annual reporting on cybersecurity strategies, organizations must prioritize cybersecurity risk assessments and centralizing incident data. By consolidating this data into a single repository, rather than having it scattered across spreadsheet software or lost in email inboxes, you are more likely to meet SEC deadlines and improve your chances of meeting SEC deadlines for incident disclosure. Reduces time spent gathering information from different departments and stakeholders.
2. Acquisition of cyber risk quantification ability
Traditionally, organizations have used qualitative techniques such as ordered lists and red, yellow, and green severity charts to assess the importance of cybersecurity incidents and other risk events. Although the SEC recommends considering these ratings to determine the significance of an incident, quantifying cyber risk provides more accurate insight into the financial impact of an incident . By quantifying and understanding the financial impact of cyber risk, organizations can take the necessary steps to reduce costly risks or, ideally, prevent them altogether. This approach reduces the overall amount of disclosure required.
3. Optimize your incident management process
Now is the perfect time to conduct a comprehensive review of your organization's incident management processes and ensure you are proficient at identifying, responding to, and reporting cybersecurity incidents. Streamlining and refining these processes makes it easier to stop cyber risks before they become serious issues, and enables rapid reporting when needed.
4. Strengthen cybersecurity and cyber risk governance
To ensure compliance with the SEC's new regulations, boards must be properly informed about their organization's cybersecurity risk management practices. Implementing a robust reporting and communication process is essential to regularly update leadership on cyber risk management efforts and incidents experienced by the company. Additionally, it is important to clarify how these incidents can impact, or have already impacted, the organization's strategy and finances.
5. Protect your relationships with third parties
The updated regulations emphasize the importance of assessing cyber risk beyond the organization. Meeting requirements for third-party cyber risk assessment reporting and secure vendor selection emphasizes the need to establish an effective third-party risk management program. In fact, supply chain attacks targeting small contractors and vendors often rank among the leading causes of cybersecurity incidents in large organizations.
6. Improve the cyber risk culture within your team
Digital transformation has had a major impact on nearly every organization, especially in the years following the COVID-19 pandemic, which accelerated the shift of work and life online. As a result, the number of employees connecting to an organization's network from a variety of locations and devices has mushroomed, significantly expanding the cybersecurity attack surface. This shift highlights the critical importance of fostering a culture of cybersecurity risk awareness, where cybersecurity is seen as everyone's responsibility, not just the purview of the information security team. The more an organization instills in its members awareness of the threats posed by cyber risks, the stronger its overall cybersecurity posture will be and the less time it will take to disclose an incident to the SEC.
While SEC regulations pose challenges, they also present opportunities. Following the rules can reduce a company's cybersecurity, increase investor confidence, attract capital investment, and contribute to long-term business sustainability.
We have listed the best network monitoring tools.
This article is produced as part of TechRadarPro's Expert Insights channel, featuring some of the brightest minds in technology today. The views expressed here are those of the author and not necessarily those of his TechRadarPro or Future plc. If you're interested in contributing, find out more here. https://www.techradar.com/news/submit-your-story-to-techradar-pro
