The SEC has just adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. These final rules require material cybersecurity incident disclosure. They also require the annual disclosure of material information regarding your organization’s cybersecurity risk management, strategy, and governance practices.
These new rules highlight the importance of comprehensive, evidence-based intelligence on the assets, configurations, and security controls.
Background
While there are plenty of devils in the details, such as actual reporting timeframes and determining what “material” is, in short, as a public company, you must report a cyberattack within four days if that attack is determined to have a material impact. Cyberattack details must be made available in your company’s 8-K regulatory filings. Failure to disclose could equate to deceiving investors, which could lead to fines. Two items within the new SEC Rules stand out as deserving of a careful review.
- Regulation S-K Item 106(b) – Risk Management and Strategy – This item states that registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
- Regulation S-K Item 106(c) – Governance – This item states that registrants must describe the board’s oversight of risks from cybersecurity threats, and registrants must describe management’s role in assessing and managing material risks from cybersecurity threats.
Why is Asset Intelligence so Essential for the New SEC Rules
Any information on your 8-K must be evidence-based, which is explicitly called out in the new SEC Rules, as well as an annual report, corporate governance document, committee charter, etc. This is regardless of the incident impacting revenue, brand, operations, ESG, etc. While having evidence-based information makes sense intuitively, in practice, this can be very challenging if your organization hasn’t implemented holistic, foundational controls for cybersecurity, IT operations, and GRC, such as asset intelligence. Further, this evidence must scale across all your devices, identities, and applications on-premises, remote, and in the cloud. Real-time and forensic details about each asset must be complete and available, and relationships between those assets must be easy to glean. If it wasn’t already apparent from the size of this paragraph, obtaining this level of evidence-based information is a big ask if you’re relying on legacy approaches.
Regulation S-K Item 106(b)
Regulation S-K Item 106(b) is about your security processes and the details behind them. It states that you must outline how you address cybersecurity threats and determine if those threats have had a material impact. To summarize a process detailing how you address cybersecurity threats, prudence dictates that you know what assets are within your company and the state of said assets. That’s simply a foundational measure that doesn’t pass the “duh test” regarding something that obviously should be done.
For example, you may have 50,000 laptops in your company. 40,000 are in your directory services solution and are running the proper security controls, which are up-to-date and functioning. 5,000 laptops are also in your directory services solution and running security controls, but environmental drift issues related to configuration and communication mean they are vulnerable. Finally, you have 5,000 other laptops running end-of-life OS releases or operating with vulnerable applications while also missing required security controls and not showing up within your directory services solution. You can quickly identify your assets’ presence and state and prioritize the highest risk. While these examples are device-specific assets, the same measures can be applied to identities, applications, or a combination of assets.
By understanding the presence and state of your assets, including their vulnerabilities, the state of the controls protecting and managing them, and cross-relationships between other assets, you have the evidence-based information needed to outline how you protect your assets from cyberattacks. This can also help determine which riskier assets may be more likely to be associated with a particular incident. Predicated on this evidence, with visibility into real-time and forensic asset intelligence, you can better determine what assets may have been impacted and if those assets will materially affect your business strategy, results of operations, or financial condition. It all starts with knowing what you have, the state of the controls protecting and managing them, and the cross-relationships between multiple asset types.
Regulation S-K Item 106(c)
Regulation S-K Item 106(c) is about your leadership accountability, and it highlights the need to describe how your board is providing cybersecurity oversight and how the management team is addressing the threats. As in 106(b), it’s hard to talk about accountability if your leadership doesn’t know if you have 100 or 100,000 assets and the state and presence of the controls protecting them. While they may not need the details outlined in 106(b), they need broad strokes. For illustration’s sake, let’s talk about the physical security of bank branches.
Leadership needs to know how many bank branches there are, where they are, what they do, how many employees work there, etc. Some standards must be addressed regarding physical security, like locks on the door, a robust safe, cameras, emergency buttons to call the police, and so on. Suppose a bank branch has a broken front door, no alarm system, a faulty camera, and a safe that won’t close. In that case, that’s critical evidence to know so that leaders can make informed business decisions such as closing the branch, fixing the security issues, moving customers to another branch temporarily, etc.
Once again, evidence-based asset intelligence becomes necessary because there is only one way to communicate the state of your security controls or the impact of an incident: having complete visibility into your assets. You could make assumptions and share that with the board and your leadership team, but at that level, there is zero tolerance for assumption-based decision-making, nor should assumptions appear in your 8-K. Asset intelligence is just as critical for security operations as it is for your company’s leadership, as it will help you better illuminate issues before, during, and after an incident with evidence-based measures.
Summary
Evidence-based asset intelligence is foundational to cybersecurity, IT operations, and GRC. It provides the information required to understand your assets and the state of their controls across devices, identities, and applications. To see how an Asset Intelligence Platform like Sevco can help you address the new SEC Rules, check out some of these product videos and request a personal demonstration.