The Impact of SEC’s Proposed New Rules in Cyber Risk Management
A new discourse in the cyber risk management landscape of US public companies is here.
This past March 2022, the US Securities and Exchange Commission (SEC) added another item to their to-do list by announcing a consultation process on how listed US companies need to manage their cyber risk. This reflects the mainstream nature of many e-commerce systems and how they contribute to business and shareholder value.
However, for investors, this contribution is double-edged. Digital capabilities drive value and expose companies to potentially significant new risks. These risks can be substantial and companies need effective cyber risk management capabilities to assess, manage, and counter any cyber threats.
The SEC consultation process aims to help develop a cyber risk management regulatory framework that is effective, practical, and valuable to investors, companies, and the broader market.
While still at the consulting stage, the direction moving forward is clear. In due course, SEC cyber risk management regulation will likely be on a par with the compliance requirements of Sarbanes-Oxley (SOX).
Exploring SEC’s New Requirements
Firstly, the proposal states that cyber risk management reports would form part of the standard SEC 8-K reporting process, in line with the company’s currently listed reporting obligations. Reports would cover the company’s cyber risk management policies and procedures, its cyber risk management and governance framework, and the Board’s expertise in this area. It is essential to report cyber incidents, updates on previous incidents, and their business implications.
As it’s usually the case with any new regulations, the text is, in many ways, the easiest part to digest. The challenge presents in mastering the detail and figuring out how best to align your risk management systems and processes with them. In some cases, this may force companies to go back to the first principles, understand and document their existing cyber security systems and procedures to ensure everything is identified and recorded, end-to-end. This approach also allows companies to identify any gaps in their business that could be exposed to regulatory scrutiny and the operational, commercial, or reputational risks these gaps create.
While gaps and issues may emerge from this analysis, that is not to say that listed companies are oblivious to cyber risk issues. No listed company – or company planning to list – will be without a cyber security policy, a range of relevant systems and processes, and likely, the appointment of a Chief Information Security Officer (CISO).
The key challenge is working on how best to capture and consolidate all this effort and activity so that the company is resilient, complies with any regulatory scrutiny, and develops as it needs to without cyber security holding back the business, rather enabling it for success.
Historically, companies have looked towards enterprise risk management (ESG) applications to address and enhance their cyber risk management capabilities. This approach can be very prescriptive, and while ideal for some businesses, it is often a challenge to implement for many others.
Many companies understand the importance of selecting the right enterprise risk management (ERM) solution, as technology can definitely be the best ally. Leveraging modern SaaS-based technologies to manage cyber risks is a dynamic approach that ultimately benefits the organization. Easier to deploy and user friendly; they can enhance your existing capabilities and processes to ensure operational resilience.
Many companies understand the importance of selecting the right enterprise risk management (ERM) solution, as technology can definitely be the best ally. Leveraging modern SaaS-based technologies to manage cyber risks is a dynamic approach that ultimately benefits the organization. Easier to deploy and user friendly; they can enhance your existing capabilities and processes to ensure operational resilience.
What might a SaaS-based solution look like for your business?
The ideal solution will firstly feature a centralized architecture that allows you to capture, consolidate and define your enterprise cyber security policy. In many environments it is possible for there to be a mix of different approaches and gaps. The trick is to have a unified structure that everyone can pivot towards.
The next step is to ensure that people understand their obligations and thoroughly implement them. Historically, this has been the security team’s responsibility. However, the onus of implementing a security policy is shifting from the security team and on to the shoulders of the day-to-day operations team. SaaS-based systems allow security teams to embed their policy requirements in the security platform so that their role becomes more focused on providing advice and direction rather than policing. This approach helps ensure that security standards are maintained in a more complex technological environment, while working within the constraints that security teams typically are subject to. It also helps to ensure that the business can develop optimally, with the help of a strong enterprise risk management program.
These centralized platforms also provide the capability for training, education, and attestation capabilities that allow for line of business teams to confirm that their systems and processes reflect and comply with the existing corporate standards.
Furthermore, additional capabilities allow for enterprise-level reporting and gap analytics to enable a company to find gaps in its cyber risk management capabilities as the business, security policy, and regulatory environment change.
A Glance At The GRC Platform of the Future
Learn how you can leverage a single SaaS platform for your entire GRC requirements.
English 
Deutsch 
English (UK) 
English (Australia) 
Français 
Español de México 
简体中文