The world around us is becoming increasingly digital and interconnected, with cybersecurity an even more critical concern amid an ever-increasing number of large-scale compromises. The lack of timely disclosure has warranted a change in divulging information to shareholders. In July, the U.S. Securities and Exchange Commission (SEC) released final cybersecurity rules requiring public companies to disclose details of material incidents, as well as details of cybersecurity risk management, strategy and governance. As companies grapple with these new mandates, they’re confronted with a profound realization: cybersecurity is no longer a checkbox for compliance but an imperative that affects their entire organization.
The SEC’s move to extend its cybersecurity requirements signifies a pivotal evolution in the regulatory landscape. It demands proactive measures, strategic planning, a holistic approach to safeguarding data and operations and a shift from an approach emphasizing regulatory environments versus the broader enterprise. In this article, we’ll delve into the expansive scope of the SEC cybersecurity requirements, exploring how they transcend the control environment over financial reporting and permeate every facet of an organization. We’ll also provide actionable insights and steps companies should consider to meet regulatory obligations and fortify their cybersecurity posture, enhancing their overall resilience to cyberthreats.
Current state
Regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley Act (SOX), etc., have dictated how organizations focus their cybersecurity time and resources. These requirements drive how budgets and, subsequently, efforts are directed. However, we found that while organizations typically have effective controls and governance in these areas, things weren’t as good outside these environments. In many cases, assets are missing from the central inventory. Key controls like endpoint protection, logging and monitoring, vulnerability and patch management, and identity and access management are not deployed. These vulnerabilities could open an organization up to a greater risk of needing to disclose an incident that cascades from a reputational impact perspective.
For companies, resources and time are finite commodities. Companies have always prioritized where they focus their energy and drove budgets based on their unique priorities. As new regulations demand an enterprise-wide cybersecurity program, it’s unrealistic to fully implement security controls for every possible cyber risk an organization faces. As such, with proper resource alignment based on risk identification, organizations can apply the prioritization principles to drive the programs focused on compliance requirements to develop an effective approach to the new regulatory demands.
Recommendations
Your organization has multiple avenues for developing a proactive strategy toward the new SEC cybersecurity guidelines. These include:
1
Make enterprise-wide organizational changes necessary to control cybersecurity, educational changes to develop a standard contextual “system” understanding among the board and risk experts, and cultural changes to imprint the importance of shared responsibility for cybersecurity upon your enterprise.
2
Inventory the assets in your environment. You must ensure your program considers a complete list of your assets. We often find that asset inventory and management are difficult for a majority of our clients. You need to seek tools and have a comprehensive process to validate you have a complete picture.
3
Leverage a single framework of controls. Your organization can use several existing frameworks from sources like the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) to encompass relevant requirements into one unified control structure.
4
Apply that control framework to your environment in a risk-based manner. Your entire organization still won’t need to be secured in the same manner as regulated environments. However, you will still need key controls such as patch/vulnerability management, privileged access management, multifactor authentication, data protection and incident monitoring/response. While the SEC requirements have focused on governance, monitoring and response, you still need to ensure you protect your organization beyond just meeting the minimum standards defined by the requirements.
5
Assess and monitor the controls. To maintain the program, you need to ensure your controls are effective and stay effective for the long term. Develop a compliance approach for those controls, including automation and tools like enterprise governance, risk and compliance solutions to validate that your organization is following the rules effectively and protecting your environment.
Applying controls in a risk-based manner can be difficult if your organization is running in a flat environment. By using cloud-based services, microsegmentation, etc., organizations can realize the effectiveness and cost-controlling measures of risk-based security.
By following these strategic steps, your organization will make strides in meeting the SEC’s cybersecurity requirements and also build a robust cybersecurity foundation that safeguards your operations, data and reputation. In a rapidly evolving digital landscape, these actions are vital to ensure long-term resilience against cyberthreats.
This article was written by RSM US LLP and originally appeared on 2024-01-09.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/going-beyond-compliance-to-strengthen-your-organizations-security.html
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
KraftCPAs PLLC is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how the KraftCPAs PLLC can assist you, please call us at (615) 242-7351.
KraftCPAs can help.
Call us at 615-242-7351 or complete the form below to connect with an advisor.