The world around us is becoming increasingly digital and interconnected, with cybersecurity an even more critical concern amid an ever-increasing number of large-scale compromises. The lack of timely disclosure has warranted a change in divulging information to shareholders. In July, the U.S. Securities and Exchange Commission (SEC) released final cybersecurity rules requiring public companies to disclose details of material incidents, as well as details of cybersecurity risk management, strategy and governance. As companies grapple with these new mandates, they’re confronted with a profound realization: cybersecurity is no longer a checkbox for compliance but an imperative that affects their entire organization.
The SEC’s move to extend its cybersecurity requirements signifies a pivotal evolution in the regulatory landscape. It demands proactive measures, strategic planning, a holistic approach to safeguarding data and operations and a shift from an approach emphasizing regulatory environments versus the broader enterprise. In this article, we’ll delve into the expansive scope of the SEC cybersecurity requirements, exploring how they transcend the control environment over financial reporting and permeate every facet of an organization. We’ll also provide actionable insights and steps companies should consider to meet regulatory obligations and fortify their cybersecurity posture, enhancing their overall resilience to cyberthreats.
Regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley Act (SOX), etc., have dictated how organizations focus their cybersecurity time and resources. These requirements drive how budgets and, subsequently, efforts are directed. However, we found that while organizations typically have effective controls and governance in these areas, things weren’t as good outside these environments. In many cases, assets are missing from the central inventory. Key controls like endpoint protection, logging and monitoring, vulnerability and patch management, and identity and access management are not deployed. These vulnerabilities could open an organization up to a greater risk of needing to disclose an incident that cascades from a reputational impact perspective.
For companies, resources and time are finite commodities. Companies have always prioritized where they focus their energy and drove budgets based on their unique priorities. As new regulations demand an enterprise-wide cybersecurity program, it’s unrealistic to fully implement security controls for every possible cyber risk an organization faces. As such, with proper resource alignment based on risk identification, organizations can apply the prioritization principles to drive the programs focused on compliance requirements to develop an effective approach to the new regulatory demands.
Your organization has multiple avenues for developing a proactive strategy toward the new SEC cybersecurity guidelines. These include:
Applying controls in a risk-based manner can be difficult if your organization is running in a flat environment. By using cloud-based services, microsegmentation, etc., organizations can realize the effectiveness and cost-controlling measures of risk-based security.
By following these strategic steps, your organization will make strides in meeting the SEC’s cybersecurity requirements and also build a robust cybersecurity foundation that safeguards your operations, data and reputation. In a rapidly evolving digital landscape, these actions are vital to ensure long-term resilience against cyberthreats.
KraftCPAs can help.
Call us at 615-242-7351, or send the information below be to contacted by one of our advisors.
- Should be Empty:
- Topic Name:
This article was written by RSM US LLP and originally appeared on 2024-01-09.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
KraftCPAs PLLC is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how the KraftCPAs PLLC can assist you, please call us at (615) 242-7351.