How listed companies can establish cybersecurity accountability in 2023
In 2023, regulators will throw down a 'reporting gauntlet', and mandate listed companies to disclose cyberattacks in record time. This legislative sea change will not only intensify the need for adequate protections against attacks, but will require companies to identify and report an incident to their shareholders and the Cybersecurity Infrastructure Security Agency (CISA) within 72 hours.
Regulators have taken note that businesses are fighting a losing battle against foreign and domestic cyber criminality, and by introducing more stringent cybersecurity regulation, their focus is to ensure companies treat cyberattacks as an increasingly systemic threat.
With cybercrime predicted to cost the world $10.5 trillion annually by 2025, a light is now being shone on the importance of securing critical infrastructure such as energy, transportation and financial services, pivotal to a functioning society and strong economy. Regulators also seek to lower the risk to a business’s stakeholders. In the words of SEC Chair Gary Gensler, "Investors are looking for consistent, comparable and decision-useful disclosures so they can put their money in companies that fit their needs".
A Welcome Legislative Change?
On March 9 2022, the Securities and Exchange Commission (SEC) published a proposal named Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure. This legislation would see listed companies having to report "material" cybersecurity incidents on a Form 8-K to investors within 72 hours. This comes after a downtrend in Form 8-K and 10-K cyber incident disclosures in 2020 and 2021, despite a record number of cyberattacks.
The legislation would further require companies to disclose to CISA whether cybersecurity is part of an organization's business strategy, capital allocation and financial planning. The cyber governance measures included would also mandate periodic reporting on the board’s oversight of cybersecurity risk, as well as any active company directors with prior cybersecurity expertise to describe the nature of that experience.
The widespread rules aim at increasing transparency for investors and stakeholders, allowing them to make informed decisions about their equity and data and improve their understanding of how companies manage their cyber risk exposures. Organizations will face large fines if they fail to comply with the SEC’s regulation, meaning adequate cybersecurity protection and risk management is now more important than ever.
A best practice security program in 2023 must have the capacity to test, evaluate and report on the effectiveness of its operations, as well as adopt continuous improvements to sustain performance as new threats emerge.
Cybersecurity as a business need is not new nor revolutionary, but as the type of threats facing businesses change, so must its defenses. Nation state activity in 2022 saw global critical national infrastructure come under attack, as Russia’s war persisted.
Analysis from cybersecurity giant Mandiant found software supply chain attacks targeted Ukrainian government agencies and malware attacks hit Polish institutions in a concerted effort to immobilize and weaken businesses and nation state infrastructure. Organizations are now on the front-lines of a cyberwar transcending sectors and geographic boundaries, with Goldman Sachs predicting that a Russian attack on US infrastructure could cost the economy up to $1 trillion.
To combat the heightened threat, businesses are seeking battle readiness for their systems and cyber teams. Military-grade protections such as cyber ranges provide a high fidelity, realistic replica of virtual environments that comprehensively test teams and tools until failure. By simulating different security scenarios, cyber ranges have the potential to compress three years’ worth of attacks into 24 hours of testing.
By going beyond endpoint monitoring tools and theoretical planning, teams can form bonds and develop the muscle memory required to successfully protect organizations’ strategic assets. Crucially, the derivation of metrics-driven reports can also be instrumental in meeting the demands of legislative bodies and answering the questions of board members, such as 'How prepared is our company to disclose information?', 'Have we performed gap assessment?', and 'What cyber risk practices must change and stay the same?'
Although the material threats posed by nation state-backed groups in the last 12 months have awoken many organizations to the systemic risk that attacks against critical infrastructure pose, we cannot be complacent in our war against attackers. Preparing organizations for the continued cyberwar, as well as the SEC’s new regulation, will be on the mind of every CEO in the coming year, and the solutions therein will be crucial in alleviating risk.
Companies must shift the way they frame their cyber exposure to an outcomes-based approach. Moving away from the tick box mentality of coverage, and the various tests they have passed, towards the inspiration of confidence in the cohesiveness of the interaction of their system, to the totality of conviction in a quantified and benchmarked cybersecurity program operating as a whole, will be a key metric on which success is based.
James Gerber is Chief Financial Officer of Global Cybersecurity firm SimSpace. With expertise in both engineering and c-suite arenas, Jamie has amassed over 30 years’ experience forecasting risk and setting strategy of some of the world’s largest construction and transportation businesses. Jamie has previously held CFO titles at IronNet, Worldstrides and the Pension Benefit Guarantee Corporation (PBGC). During his tenure at the PBGC, a multi-billion dollar pension insurer, Jamie focused on shaping policy through the identification of systemic risks, tapping in to the demands of insurers and audit committees while directing the investment portfolio as it grew from $32 billion, to over $50 billion.