New cybersecurity regulations [1], such as the US Securities and Exchange Commission’s (SEC) incident reporting requirements and the EU Cyber Resilience Act, have been implemented globally [1]. These regulations cover various areas including workforce development [1], incident reporting [1] [2], vulnerability reporting [1], and AI security [1]. They place additional demands on businesses and emphasize the need for a robust incident response plan [2].
Description
The SEC rules require public companies to disclose material cybersecurity incidents and provide periodic disclosures on cybersecurity risk management and governance [2]. Registrants must describe their processes for assessing and managing material risks from cybersecurity threats and disclose any cybersecurity incidents that are determined to be material [2]. The rules offer little clarity on what makes an incident material [2], so companies must consider various factors in making that determination [2]. The SEC has also narrowed the scope of incident disclosure [2], added a limited delay for disclosures that pose a substantial risk to national security or public safety [2], and streamlined risk management and governance disclosure requirements [2].
In addition to the SEC rules [2], organizations must also prepare for the EU Digital Operational Resilience Act (DORA) [2], which requires companies to be able to withstand [2], respond to [2], and recover from ICT-related disruptions and threats [2]. The recognition of cybersecurity’s importance at the government level is seen as an opportunity for security leaders to enhance their role within their organizations and increase security investment. This presents a chance for CISOs to elevate their influence at the boardroom level [1]. The SEC recommends enlisting help from third-party cyber experts for drafting and implementing cybersecurity strategies [2]. The final rules require disclosing the board’s oversight of cybersecurity risks [2], but the requirement to disclose the board’s cybersecurity expertise was abandoned [2]. However, boards still have an obligation to exercise appropriate oversight of cybersecurity [2].
Conclusion
These new cybersecurity regulations have significant impacts on businesses, requiring them to prioritize incident response planning and disclose material cybersecurity incidents. The lack of clarity on what constitutes a material incident poses a challenge for companies, who must consider various factors in making that determination [2]. Additionally, the recognition of cybersecurity’s importance at the government level presents an opportunity for security leaders to enhance their role and influence within their organizations. It is crucial for organizations to prepare for the EU Digital Operational Resilience Act [2], which emphasizes the need to withstand, respond to [2], and recover from ICT-related disruptions and threats [2]. Overall, these regulations highlight the increasing importance of cybersecurity and the need for businesses to prioritize and invest in robust cybersecurity strategies.
References
[1] https://www.infosecurity-magazine.com/news/isos-elevate-role-with-cyber/
[2] https://www.kroll.com/en/insights/publications/cyber/2023-sec-cybersecurity-rules
