On July 26, 2023 the Securities and Exchange Commission (SEC) released its rules on Cyber Security Risk Management, Strategy, Governance and Incident Disclosure for Public Companies. In the announcement SEC Chair Gary Gensler stated “Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors.” He went on to say investors would benefit more from disclosures that are consistent, comparable and make help make decisions in a more useful way.
The questions and concerns on most CISOs minds are around the effectiveness of these new requirements, and whether they will ultimately do more harm than good. With the consequences of a cyber security incident extending beyond compromised data and damaged reputation, they can also significantly impact a publicly traded company’s stock price.
It seems the SEC aims to protect investors and prevent insider trading from harming their portfolios by requiring companies to disclose significant events within four days. Some argue that the rules actually may not help companies, except to the extent that one subscribes to the notion that compliance requirements drive “real security outcomes.” We at 5Q believe that to be so.
To expand on that thought, in order to be prepared and show diligence around Cyber security, having the following are paramount to govern and guide a company in its Cyber security posture.
Cyber Awareness Education;
Cyber Awareness Maturity Assessment based on NIST (National Institute of Standards and Technology) or CIS (Center for Internet Security) standards;
Incident Response Plan (IRP);
Written Information Security Plan (WISP)
Each of these are critical to establish a Cyber security culture that is second nature to employees and business partners and demonstrates a company’s commitment to addressing Cyber security awareness and disclosure.
Let’s clarify what these rules entail. Under the new mandates, organizations are required to do the following:
Report “material” cyber security incidents on a Form 8-K within four business days of determining they are material.
Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the company.
Disclose their plans and procedures for achieving compliance.
Like what is being faced with Environmental, Social and Governance disclosure and reporting requirements, Cyber security is no different and many would argue the impact of a Cyber security event is more impactful to a company and its investors as it relates to company performance, viability, and financial well-being.
Do these rules meet the intended objective of forcing companies to stay more transparent about their cyber security governance and incidents in a timelier manner? Time will tell whether it’s an effective rule.
5Q Cyber is prepared to work with your company, as it has with several in the real estate industry, to provide guidance and outcomes related to all the items listed above. Further, 5Q’s vCISO (Virtual Chief Information Security Officer) offering provides the expertise, leadership and partnership for your organization to establish a relevant Cyber security program. To cap all of this, 5Q’s Security as a Service – Security Operations Center (SOC) provides preemptive and continuous monitoring of your company’s core and building networks to further protect against threats that would require the disclosures outlined in the SEC’s rules on Cyber security Risk Management, Strategy, Governance and Incident Disclosure for Public Companies.