The Securities and Exchange Commission (SEC) has implemented new cybersecurity regulations in 2023 to enhance cyber reporting and resilience. These regulations require public companies using Software-as-a-Service (SaaS) systems to disclose cyber incidents within four days.
Description
The SEC’s new cybersecurity regulations apply to all public companies using SaaS systems [3] [4] [5], regardless of where the breaches occur (on-premise, in the cloud [4] [5], or in SaaS environments) [4]. These regulations also extend to third and fourth-party apps connected to SaaS systems. In a recent incident, a publicly traded company fell victim to a ransomware group in 2023 and reported the breach to the SEC after feeling ignored [1]. This incident may lead to more threat actors reporting their breaches in 2024 [1], potentially impacting business valuations [1].
The SEC’s motivation for these regulations stems from the substantial increase in cybersecurity incidents and their potential impact on investors and the market [4]. Despite organizations rating their SaaS cybersecurity maturity as mid to high [2] [3] [4] [5], many have experienced cybersecurity incidents [2] [3] [4] [5]. The prevalence of SaaS-to-SaaS connections further increases governance challenges and cybersecurity risks [4], as these connections often introduce hidden risks and vulnerabilities that traditional scanning and monitoring tools cannot detect [4].
To address these challenges, organizations can utilize SaaS security posture management (SSPM) tools to protect and monitor SaaS systems and SaaS-to-SaaS connections. These tools help assess and manage risk [4], monitor configurations and permissions [2] [4], and detect suspicious activity [2] [4]. Compliance with the new SEC regulations is essential for enhancing investor confidence [4], ensuring regulatory compliance [4], and fostering a proactive cybersecurity culture [3] [4].
The increase in cybersecurity incidents has driven the SEC’s regulatory expansion in the cyber risk realm, with a 25% increase in attacks from 2022 to 2023 [4] [5]. The new regulations not only require disclosure but also specify prevention measures and the role of Chief Information Security Officers (CISOs) and management in cybersecurity risk oversight [4].
Conclusion
The average global organization uses 130 SaaS applications [3] [5], highlighting the widespread use of SaaS and the need for regulatory measures [5]. SaaS breaches and incidents are occurring regularly [5], with the cost of a data breach reaching an all-time high of $4.45 million in 2023 [5]. CISOs are required to describe their processes for assessing [3] [5], identifying [5], and managing cybersecurity risks [2] [3] [4] [5], and the role of the board of directors and management in cybersecurity risk oversight must be shared [2] [5].
In conclusion, the SEC’s new cybersecurity regulations aim to enhance cyber reporting and resilience in public companies using SaaS systems. Compliance with these regulations [3], along with the use of SSPM tools, is crucial for protecting investor confidence [2], ensuring regulatory compliance [4], and fostering a proactive cybersecurity culture [3] [4]. The increasing frequency of cybersecurity incidents highlights the need for ongoing vigilance and mitigation efforts in the SaaS environment.
References
[1] https://insights.alixpartners.com/post/102iyha/wake-up-call-five-cyber-trends-threatening-your-business-value-in-2024
[2] https://vulners.com/thn/THN:5D9A2DCBAB375451D11E0A55D17D8B98
[3] https://owasp.or.id/2024/02/01/understanding-new-saas-cybersecurity-rules/
[4] https://thehackernews.com/2024/01/the-sec-wont-let-cisos-be-understanding.html
[5] https://www.redpacketsecurity.com/the-sec-won-t-let-cisos-be-understanding-new-saas-cybersecurity-rules/
