On July 26, 2023, the SEC adopted rules requiring publicly traded companies to disclose material breaches of any cybersecurity incident within four days. Further, and more importantly, the regulations also require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats.
On October 31, 2023, these regulations and the actual practices of publicly traded cybersecurity companies came to a head, as the SEC announced charges against SolarWinds and its CISO for fraud and internal control failures, relating to allegedly known cybersecurity risks and vulnerabilities. The indictment boils down to the charges of concealing poor cybersecurity practices, while overstating the state of security within the company.
The charges against SolarWinds and its CISO present a harsh reality: CISOs need to be able to demonstrate and attest to the fidelity of their cybersecurity program with irrefutable evidence.
Building a Well-Reasoned and Defendable Cybersecurity Program
Under the reporting requirements set forth by the SEC, four major activities are cited for a program to be deemed well-reasoned and defendable:
- Determine what is material
- Identifying Threats
- Assessing the threat
- Managing Threats and Vulnerabilities
The SEC regulations and indictment against SolarWinds provide a harsh need for expedited change within the cybersecurity industry. There is simply too much at stake for CISOs and security teams to be reactive in cybersecurity. Leading with an understanding of your threat environment through automated tooling and ensuring readiness against the threats that matter most will ensure CISOs are prepared for this new era of cybersecurity accountability that the SEC demands.
For further guidance on how to prepare yourself for this new era of cybersecurity, check out the following Interpres Resources:
- Join the upcoming LinkedIn Livestream event with HackerValley Media, scheduled for Thursday, December 7 at 3pm ET
- Stop by the CISO Resource Center on SEC Cyber Enforcement
- Get a copy of the Whitepaper: SEC Cybersecurity Regulatory Actions & The Modern CISO
About Interpres Security
Interpres Security provides an unbiased view of the enterprises’ security posture to help CISOs and security practitioners reduce threat exposure. Interpres Security analyzes the dynamic relationship between defensive and adversarial capabilities, prioritizes actions, and optimizes the security ecosystem for the enterprise, providing a single source of truth when it comes to defense surface management. To learn more about Interpres Security, request a demonstration of the platform and follow the company on LinkedIn or Twitter.