New SEC Disclosure Rule Helps Companies Adapt Security-First Mindset

Under new Securities and Exchange Commission (SEC) rules, public companies must disclose all data breaches within four business days after they are determined to be material. Publicly traded companies must also reveal details about their cybersecurity risk management and executive expertise each year. 

What’s driving these new rules? The SEC is obligated to protect investors, and breaches can significantly affect a company’s bottom line and operations. Cybersecurity is a game with moving goalposts, and the idea behind these regulations is to give investors more insight into the security posture of their investments. This may encourage public companies to strengthen their security stance, though some argue that this may be harder for smaller companies to manage.

Others worry that the new ruling is an SEC power grab and could benefit attackers because companies need to spell out their cybersecurity strategy publicly. Still, others welcome this change since it requires companies to move cybersecurity from the “good idea” to the “mandatory” column. 

Taking a security-first approach

At Devo, we are big proponents of a security-first mindset, and we believe this rule will help encourage more companies to make this shift. After all, most organizations tend to fall in line when something becomes law – few want to face the consequences of not doing so. If an organization has struggled to get the C-suite to take cybersecurity seriously, the threat of running afoul of the SEC can help provide the impetus needed. 

As cybersecurity becomes table stakes, investors will come to expect top-notch security and start evaluating this as part of their decision on whether to give a company their funds (or not). Ultimately, this will benefit companies, investors, and customers. Some are concerned that this will place an undue burden on smaller companies that lack the financial and personnel resources of the marquee firms. But this suggests that strengthening an organization’s security posture requires millions of dollars – and that’s often not the case. 

Basic cyber hygiene goes a long way, as does using or tweaking what you already have in place. For instance, ensure that employees make all system updates as soon as they are notified. Use multifactor authentication and encryption wherever it’s available. Change your router settings so that all routers are password-protected. These changes cost nothing yet markedly improve security posture.

The impact on third parties 

The new SEC rule applies to third-party vendors too. Recent data shows the wisdom of this inclusion. One of the biggest risks regarding security beaches is the threat from supply chain partners. The SANS 2023 Attack and Threat Report found that supply chain partners were responsible for 40% of breaches in 2022. And Verizon’s most recent Data Breach Investigation Report holds third parties responsible for 62% of breaches. Whichever is more accurate, the point is clear. 

Verizon highlighted another disturbing finding: certain cybercriminals, such as nation-state actors, prioritize gaining access over stealing confidential information. According to their analysis, this becomes a “force multiplier” since the attacker stays hidden on the network for an extended amount of time to keep an eye on confidential data and business operations.

Increasing legislative action

Though not yet mandatory, CISA’s recently announced Secure by Design, Secure by Default initiative is a harbinger of future regulations. Governments and regulatory bodies worldwide recognize the importance of protecting sensitive data and ensuring the security and privacy of individuals and organizations. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two well-known examples, but there is currently no federal-level data privacy or security law. It seems like this is more of a “when” than an “if” question.

Companies will face more rules and laws regarding security breaches in the future. Organizations should stay informed about regulatory developments, implement robust cybersecurity measures, and create comprehensive incident response plans to ensure compliance and to protect their customers and stakeholders.

A move in the right direction

All things considered, the new SEC rule is a win – not just for companies but for everyone they serve. Cybersecurity has always been important, and now publicly traded companies have the opportunity to differentiate themselves by making sure their security is top-shelf. 

Curious about how to build an effective proactive defense model for your organization while mitigating the chance of a breach you’d have to disclose? Download The SANS 2023 Attack and Threat Report.