Only July 26 the U.S. Securities and Exchange Commission (SEC) announced that it has adopted new rules requiring applicable organizations to make annual disclosures of their cybersecurity and cyber risk management and governance programs. The new rules, which go into effect within thirty days of the announcement, also require that those organizations disclose “material cybersecurity incidents” within four business days when they occur.
According to the SEC press release, the changes were made to reflect the risks cybersecurity incidents pose to investors. Furthermore, the Commission believes investors should have access to information about the programs organizations have in place to prevent and respond to potentially material events.
In the announcement SEC Chair Gary Gensler said, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
New Rules, Good Tools
Adoption of these new rules reflect the growing importance of paying attention to the processes behind data security and management. It also underscores the fact that it is not enough to simply have good tools in place to keep data and networks safe, but to be able to document that those processes are in place and working as intended. It’s more evidence of the value of process auditability because if you can’t prove compliance, you aren’t compliant.
Integral, automated auditability also comes into play for organizations that are now required to “disclose… any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant” within four business days after determining an incident is material. There are two reasons why that is important:
- Cybersecurity incidents require digital forensic investigations and the level of detail available may be the difference in determining whether an incident is material or not. For example, if sensitive data was intercepted in transit, or misdelivered, that information must be considered compromised unless it can be proven that the files were encrypted.
- Cybersecurity incident disclosures always prompt reporters, investors, lawyers, corporate officers, board members, and regulating authorities to ask a lot of uncomfortable questions. “I don’t know” isn’t often a satisfactory answer, but having a detailed audit trail of actions taken during the movement and management of sensitive data means you are more likely to know what happened, why, and what can be done in response.
It Helps to Have a Plan
Of course, having a good cybersecurity and incident response strategy in place, backed by the right tools, means you are less likely to experience an incident in the first place, and better prepared in the event one does occur. The recent Ponemon Institute/IBM 2023 Cost of a Data Breach Report found that “[incident response] strategies and tactics have been instrumental in reducing the impact of data breaches,” and that organizations with an incident response plan and team were able to identify breaches 54 days faster than those without. That’s nearly eight fewer weeks for a threat actor to do their work inside your network.
Coviant Software is proud to offer an award-winning managed file transfer (MFT) platform that many organizations rely on as a part of their data security and management programs. Our Diplomat MFT line of secure, managed file transfer products automates essential tasks like OpenPGP file encryption and file transfer scheduling, supports secure transport protocols like SFTP, and uses multi-factor authentication for administrative access. Our user interface is deployed securely behind the firewall—never internet-facing—and, of course, we automate the capture of data associated with the file transfer process so that you have the assurance of complete auditability.
Give us a try for free for 15 days, or contact us directly with any questions you might have about our products or managed file transfer in general. Our expert, industry-best customer support will be happy to help you out.