The days are gone when cybersecurity is simply an add-on to an IT department’s existing workload. Expanding privacy legislation and data security regulations have put cybersecurity at the forefront of management imperatives for organizations of all types and sizes.
If you’re a public company, SEC regulations announced in July 2023 make it clear that responsibility for managing cybersecurity risk will now go all the way to the board level, and organizations need to adhere to stringent new disclosure and reporting requirements. The update will require annual cybersecurity program disclosures, and timely (i.e., within four days) disclosures of “material” cybersecurity incidents. The SEC also officially acknowledged the impact that cybersecurity risks could have on investor decision-making — underscoring the potential financial risks for companies. Similarly, the EU is adopting an artificial intelligence and privacy governance framework, and many U.S. states are implementing their own data privacy laws.
The new legislation and reporting requirements — along with the associated liability concerns — underscore the importance of a well-defined and funded cybersecurity program. Wondering where to start? Here are six areas you should focus on now to help strengthen your organization’s cybersecurity program and avoid becoming a victim of a cyberattack or regulatory penalty.
1. Assess the technical expertise you have to address your cybersecurity risks
Your organization likely has a cast of personnel and vendors to support your IT needs, but how often do you reevaluate these resources to support your current and future technology plans? And, most critically, are your resources and managed IT services adequately trained to address current cybersecurity threats.
A strong cybersecurity program begins with a cybersecurity risk assessment, along with training tailored to your company’s current and future needs. If you’re an SEC filer, your program must include board of directors’ oversight of cybersecurity risk, along with management’s role and expertise in assessing, managing, and reporting the risks. While specialized cybersecurity expertise on the board isn’t a requirement of the new rule, it’s important that board members are educated on the cybersecurity practices within your company.
If your company uses a managed service provider, you also should assess their contractual obligations relating to cybersecurity needs and determine the level of effort needed by the vendor to stay ahead of emerging cyberthreats.
Finally, be sure you have the technical expertise you need available — especially those who specialize in digital forensics and incident response coordination — and be sure they’re on board before you need them. In some cases, this will require engaging outside experts on a retainer agreement.
2. Review and execute your cybersecurity incident response plans
Your company likely has a formal incident response plan (IRP) and regularly reviews it against changes within your environment. But do you test regularly to see if the plan actually works? And is the plan of sufficient detail to meet the SEC’s disclosure requirements? What about the cybersecurity breach requirements of the states you operate in? Have you defined what a “material” incident” is at your company? Two of the most important components of your IRP are ensuring that your plan reflects the specific needs and risks of your company and testing your plan.
If you’re a public company, the SEC requires disclosure of “material” incidents when they occur. How is materiality defined at your company? Is it the exposure of a certain number of personally identifiable information (PII) records? Is it based upon a financial threshold? Or perhaps based upon system downtime? Some or all of these factors should be considered when determining your definition of materiality. It’s critical that the definition of materiality be documented in your IRP so that incident responders and regulators have clarity of your company’s specific materiality thresholds and the required steps to meet the four-day disclosure requirements of the incident’s nature, scope, timing, and impact on the company.
Perform a tabletop exercise of your IRP with key personnel to ensure stakeholders understand their responsibilities in the event of an incident and confirm data recovery and related incident plans have been updated to accommodate new systems and business processes. Be sure to include any outside experts that provide on-demand services to participate in the tabletop exercise and related testing of your IRP.
3. Consider the effects of a cybersecurity event from your supply chain or vendor support
Attack vectors come from all different angles, and often through the path of least resistance. This means that if your vendors have access to your organization’s data or technology, then their incident response strategies are just as important as your own. Review the cybersecurity programs of your vendors with access to your critical data, understand their response strategies in the event of a cyberattack, and work closely with them to mitigate the impact of cyberattacks.
4. Focus on security updates for your information technology and critical systems
A vulnerability management program is a crucial component of your overall cybersecurity program. As you add new systems and tools to support your business, ensure proper due diligence is in place. This includes updated plans for deploying security updates, performing a vulnerability evaluation prior to going into production, and ongoing vulnerability evaluations for both legacy and new systems. As you adapt to a hybrid workforce, consider the threat landscape and address any new risks in your current environment. This could require additional network layer controls or moving toward Zero Trust networks.
5. Make sure cybersecurity training programs reflect the current risk environment
With the adoption of hybrid and remote working conditions, your personnel remain one of the most important lines of defense against cybersecurity threats. For that reason, your cybersecurity training and awareness program is now, more than ever, critical for all personnel, including senior management and board members. And it must be up to date to include current cyberthreats being faced.
Solutions such as multifactor authentication (MFA) protocols are a helpful addition to your cybersecurity program; however, not all systems in your organization may be capable of such configurations. In these situations, additional diligence is critical when creating passwords or passphrases, along with clear communication about password length, age, and complexity, to ensure your personnel are maintaining security against attack vectors.
6. Communicate changes in your cybersecurity program
Cybersecurity is the responsibility of everyone in organization, but rapidly evolving cybersecurity threats and high staff turnover rates can create a significant challenge to timely communications.
Chances are your company’s personnel profile has changed dramatically over the past several years. Were your control activities updated in response? If so, how did you inform personnel who inherited these new responsibilities? Further, did you ensure staff ownership and accountability for these control activities? Establishing and reviewing formal communication channels among personnel relating to your cybersecurity program can ease the impact your organization may be facing due to the increase in staff turnover.
Cybersecurity is an ongoing journey for your organization
No one can predict the future, but one thing is certain: cybersecurity threats are continuing to evolve, and they’re getting more sophisticated. There’s no better time than now to review your cybersecurity program. Stay diligent in performing regular assessments to ensure you’re up to date with cybersecurity risks. Use the above considerations as a guide to solidify your plans and ensure adequate protection and response strategies are in place to comply with ever-evolving regulations and protect against increasingly dangerous cyberthreats.