Cyber Exposure Management Meets the New SEC Reporting Requirements

street crosswalk on capitol hill where new sec rules on cybersecurity are created

The recent SEC breach disclosure rules place enormous pressure on CISOs. The new SEC disclosure requirements for public companies require companies to report annually on their cybersecurity risk management and governance efforts and publicly announce cybersecurity incidents that prove "material."

Determining materiality may be one of organizations' most prominent challenges with the new rules. What exactly is a material cybersecurity incident? How much business disruption and cost has to be incurred before a breach is "material?" Once a breach is determined as material, the rules require the disclosure of the nature of the incident, the scope of the incident, and the incident's timing.

"Technically, none of this should change how organizations manage risk. Every organization should focus on their biggest risks, reducing and managing their vulnerabilities on their attack surface, and emphasizing protecting their most valuable systems and data," says Michael Farnum, an advisory CISO at the cybersecurity services firm Trace3. "If organizations aren't maturely managing their security and risk, they are going to have to start, or they're going to have a tough time with these new regulations," he adds.

Critics say the new SEC rules put massive pressure on CISOs to disclose material incidents before they may possess all the details of the incident or its full scope.

Incidents often take weeks, sometimes months, to understand their full magnitude. To successfully navigate the new rules, CISOs must now be able to work with their various business divisions -- finance, legal, human resources, legal counsel, and digital investigators -- to determine the scope of an attack. As new details emerge as the investigation continues, subsequent information must be disclosed. 

Companies that don't have sound enterprise risk management solutions in place will find themselves scrambling to comply. Those with mature processes will have a substantially easier time complying. This post details how cyber exposure management can help ease some of the strife associated with the new SEC disclosure rules. 

Before we detail how cyber exposure management can help with the new SEC disclosure rules, we must define what cyber exposure management means. Cyber exposure management is a proactive set of tools and processes that allows organizations to view their entire attack surface and understand which areas in their IT infrastructure are vulnerable (out-of-date patch levels, misconfigurations, poor credential security) and most exposed to risk—following identifying vulnerabilities and exposures, the proactive cyber exposure management lifecycle calls for the assessment prioritization and remediation of identified vulnerabilities and exposures in the digital attack surface. 

Organizations must identify and quantify the most valued systems operating in their environment as part of the prioritization and remediation process. This will include systems that support business operations and manage valuable and sensitive data, such as data that would lead to a significant loss of intellectual property or customer data. In this way, cyber exposure management can help streamline enterprise risk management practices by combining security visibility practices with a business-contextualized view of risk. This exercise will help describe the organization's security program to the SEC and, should a breach occur, more readily determine whether a beach is potentially material.

Cyber exposure management helps organizations identify, assess, and prioritize risks more effectively. Organizations rely on cyber exposure management to find and remediate environmental conditions that create risk and could lead to cybersecurity incidents, such as ransomware attacks, the exposure of sensitive and regulated information, and more. These processes are a critical part of the overall security management efforts that must be reported to the SEC and help to understand when a cybersecurity incident is material and should be disclosed.

Cyber exposure management also helps to improve the processes and technological security controls used to manage the vulnerable conditions uncovered by the cyber exposure management program, reducing the overall security risks to the organization. Effective monitoring and management of the attack surface helps security operations teams to better detect, respond, and hopefully prevent successful attacks. The cyber exposure management program allows organizations to spend their security budgets more efficiently by continuously identifying where the most vulnerable and valuable systems and data reside. 

Because organizations understand their data and systems more comprehensively, they can better determine what incidents are material.

"It's absolutely essential that enterprises have a centralized group managing security across their organization and build a security framework that enables them to identify where they are vulnerable and understand the business impact of those vulnerabilities," says Farnum. "And the more buttoned-down this is, the more straightforward complying with the SEC's new rules will be, or complying with any security regulation for that matter," he adds.