Solutions

Solutions

Cyber Force Platform Deploy continuous security improvement
Elite Cyber Skills Development Dynamically develop elite cyber ops teams
Stack Optimizer Make key cyber ROI and governance decisions
Rapid Range The fastest way to build a high-fidelity cyber range
Cyber Score Establish benchmarks and gather evidence
Professional Services Accelerate deployment, development, integrations and readiness
Verticals

Verticals

Government Protect sensitive data
Global Cyber Defense Train the way you fight
Critical Infrastructure Keep critical systems available
Financial Services Build client trust and confidence
Insurance Safeguard your investments
Energy Protect the nation's power supply
Partners

Partners

Why Partner with SimSpace
Partner Types
Partner Program
Resources

Resources

Analyst Reports
Blogs
Calculators
Case Studies
Catalogs
Datasheets
Demos
Infographics
Videos
Webinars
Whitepapers
Company

Company

Leadership Enabling organizations to realize continuous security improvement
Locations SimSpace has a global footprint with offices around the world
Careers Find your career at SimSpace
Events Events, happenings and webinars
News In the news
Fresh Phish Cybersecurity with a side of humor
Request a demo
Solutions
Cyber Force Platform >
Deploy continuous security improvement
Elite Cyber Skills Development >
Dynamically develop elite cyber ops teams
Stack Optimizer >
Make key cyber ROI and governance decisions
Rapid Range >
The fastest way to build a high-fidelity cyber range
Cyber Score >
Establish benchmarks and gather evidence
Professional Services >
Accelerate deployment, development, integrations and readiness
Verticals
Government >
Protect sensitive data
Global Cyber Defense >
Train the way you fight
Critical Infrastructure >
Keep critical systems available
Financial Services >
Build client trust and confidence
Insurance >
Safeguard your investments
Energy >
Protect the nation's power supply
Partners
Why Partner with SimSpace >
Partner Types >
Partner Program >
Resources
Analyst Reports >
Blogs >
Calculators >
Case Studies >
Catalogs >
Datasheets >
Demos >
Infographics >
Videos >
Webinars >
Whitepapers >
Company
Leadership >
Enabling organizations to realize continuous security improvement
Locations >
SimSpace has a global footprint with offices around the world
Careers >
Find your career at SimSpace
Events >
Events, happenings and webinars
News >
In the news
Fresh Phish >
Cybersecurity with a side of humor
Request a demo

With the rapidly increasing number of cyber threats, the U.S. Securities and Exchange Commission (SEC) has released new guidelines to help public companies protect their data and investors. The new guidelines would require public companies to file periodic disclosures about their cybersecurity practices and notify the SEC within 96 hours of a material breach. Let's look at how these regulations can help protect companies from cybercrime.

The SEC's new guidelines, released in May 2022, outline a set of Disclosure Controls and Procedures (DCP) that public companies must follow when filing periodic reports. The DCP includes the company's cybersecurity risk management program, risk assessment processes, incident response plan, and cyber insurance policies. Companies must also disclose any "material" cybersecurity events that could hurt the company or its investors.

The new rules, issued by SEC Chair Gary Gensler earlier this year, replace previous guidelines on handling and disclosing cyber risk. Companies must disclose data breaches within 96 hours and information about management's and the board's oversight of cybersecurity risks, the company's cybersecurity policies and procedures, and how cybersecurity risks and incidents are likely to impact the company's financials. They also released a fact sheet to help streamline the process.

EU is in Step with the SEC

According to the Global Digital Trust Insights report from PwC, only 9 percent of the respondents feel confident that they can effectively meet all disclosure requirements — even as pressure mounts from regulators to report cyber incidents. In Europe, for instance, the European Union Agency for Cybersecurity (ENISA) requires critical service providers to report to national authorities in the event of any significant cybersecurity incident.

The U.S. Securities and Exchange Commission is considering a rule requiring publicly held companies to disclose their cyber risk management, strategy, governance, and “material” cyber incidents. Proposed U.S. Cybersecurity and Infrastructure Security Agency (CISA) rules, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed into law last March, would require critical infrastructure organizations to report major cyber attacks and breaches within 72 hours and report within 24 hours any ransomware payments they make.

Regulatory Drivers and Implications

Given the rising number of cyber-attacks, public companies must have robust security protocols. The new regulations help ensure that all public companies implement cybersecurity measures that meet industry standards. Additionally, they provide greater transparency for investors to make more informed decisions when investing in a company. A vital element of these new regulations is that companies must report any material breaches to the SEC within 96 hours of being discovered, not necessarily having them remediated. This transparency allows regulators to investigate any suspicious activity quickly, reducing the risk of further damage or loss. It also makes it easier for investors to assess a company's security posture before making an investment decision.

Reporting Requirements and Benefits

The new guidelines require that publicly traded companies provide periodic disclosures about their cybersecurity preparation and implementation plans and updates on any material breaches they may experience during this period. These reports will give investors an accurate picture of how well-prepared a company is to handle potential cyber threats and any vulnerabilities in its systems or networks. In addition, it allows them to gauge whether or not management is taking adequate steps to protect company assets and customer information.

5 Steps for Cyber Compliance and Transparency

  1. Enhance Your Cybersecurity Risk Management Program: Companies need to rethink their cybersecurity risk management program that identifies, mitigates, and continuously monitors the various risks associated with their systems and data. This program should include procedures to assess the severity of threats and identify appropriate actions to mitigate them.
  2. Risk Assessment Process: Organizations must implement a risk assessment process to analyze their threats and develop strategies to minimize them. Companies should also be prepared to respond quickly in case of a breach, with straightforward plans for restoring operations as soon as possible.
  3. Incident Response Plans: Companies must have an incident response plan that outlines steps they need to take in the event of a security breach. Plans should include measures to contain and mitigate the damage quickly, as well as any steps to protect customer data and notify authorities.
  4. Live-Fire Cyber Exercises for Continuous Security Improvements: Companies need to implement a continuous security improvement program that leverages live-fire exercises. Crisis response programs should create new incident response programs to consider the stages of response to a cyber breach. Crisis response programs should develop proactive steps to test, train, identify, and optimize security teams, techniques, and technology.
  5. Strategic Disclosure Program: Companies must also implement new policies to model crisis simulations that meet the 96-hour regulation and provide an investigative drumbeat to manage updates and notifications for impacted parties. This can include a description of the company's risk management program, incident response plans, and any material cybersecurity events. The SEC also requires companies to provide details of their efforts to protect customer data and other sensitive information, such as credit card numbers and Social Security numbers. For example, companies will need to demonstrate their efforts to monitor networks for intrusions and other malicious activity and the methods they use to detect unauthorized access.

By following these five steps, public companies can ensure compliance with the SEC's new cyber security disclosure regulations and protect their data and investments from cyber threats. Security has never been a one-and-done responsibility, and it must be treated as an area for continuous investment, automation, training, and improvement.

Conclusion

The new guidelines released by the SEC ensure that publicly traded companies take appropriate measures to protect themselves against cyber threats and investor interests. By requiring reporting obligations and timely notification requirements, these regulations will help create greater visibility into a company's preparedness against emerging cyber risks while providing investors with more confidence when deciding where to invest their money. These regulations are critical for helping maintain trust between businesses, customers, and investors alike in today's digital world.
Blog byShaun Walsh
Shaun Walsh
Shaun Walsh
Shaun Walsh is the VP of Global Marketing at SimSpace. He has spent over 20 years in senior leadership positions for leading companies in the cybersecurity, cloud computing, AI and enterprise networking industries.