Proposed SEC cybersecurity rules loom large

Topics:

Jan. 3, 2023

Heading into 2023, cybersecurity professionals that work for public companies should expect a lot more scrutiny as new sets of rules created by the Securities and Exchange Commission (SEC) take effect.

While not yet final, the general expectation is there will be additional SEC requirements pertaining to both disclosure in the wake of a breach and the subsequent updating of internal controls to address it this spring. In addition to periodic disclosures of cybersecurity posture, there will be penalties for failing to escalate cybersecurity incidents that result in delayed disclosures of prolonged exposure of customer data are also expected to increase. There most likely will also be the need for at least one member of the board to have cybersecurity expertise.

Those requirements should, in general, enhance the overall state of cybersecurity, so in that regard, they should represent a positive development. Much progress has been made in terms of increased overall awareness of the value of cybersecurity among business executives, but there’s still plenty of room for improvement.

On the downside, however, cybersecurity leaders may be more personally accountable for outcomes. There is already a lot of concern following the conviction of former Uber chief security officer Joe Sullivan for “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.”

In addition to potential time in prison, the SEC has a reputation for levying stiff penalties. Cybersecurity leaders working in public companies may require some type of insurance policy to pay those penalties in the event the SEC levies a fine. Other cybersecurity leaders may simply decide that the risks are not worth the reward by opting to work for private companies not subject to SEC rules. The cybersecurity staff, however, may come to an entirely different conclusion. Public companies will be law be required to invest more in cybersecurity in ways that should ultimately make them a better place to work.

Regardless of whether cybersecurity professionals wind up working for a public or private company, the coming year promises to be substantially different. Much of the attention that cybersecurity professionals have been demanding now for years is finally being paid. The level of effort to achieve compliance with various mandates is, as a result, steadily rising. Organizations will still need to go beyond and above those mandates to adopt and maintain best practices, but at the very least, the compliance bar is now being raised. Less clear is how long it might be before organizations start being called to account by regulatory bodies such as the SEC, but one or two high-profile examples of fines being levied should make the message crystal clear to all.

In the meantime, cybersecurity teams that work for public companies should be preparing now for a new cybersecurity reality. In addition to having a deeper understanding of known vulnerabilities impacting environments, they will also need to assess the capabilities of the cybersecurity platforms they have in place today. The issue, as most cybersecurity professionals well know, is many of those platforms are well past their expiration date in terms of actual usefulness.

Mike Vizard

Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.

Connect with Mike on LinkedIn or Twitter.