Navigating The New SEC Cybersecurity Ruling

On August 4, 2023, the U.S. Securities and Exchange Commission (SEC) published a cybersecurity disclosure rule in the Federal Register requiring public companies to enhance and standardize their cybersecurity risk management, strategy, governance, and incident reporting disclosures.

The ruling responds to the growing occurrence of breaches and their significant financial consequences, seeking to improve transparency for investors and bridge gaps in cybersecurity defense and disclosure practices. With a strong focus on material impacts, the new regulations aims to safeguard investor decisions by highlighting potential cybersecurity risks that may impact a company’s value, profitability, and reputation.

Key Takeaways from the SEC Cybersecurity Disclosure Requirements:

• Cybersecurity Incident Disclosure: Public companies (asset-backed issuers excluded) must disclose material cybersecurity incidents within four business days after determining their materiality. A narrow exception allows for delayed disclosure when national security or public safety is at risk.
• Annual Disclosures in Form 10-K/20-F: Companies must include comprehensive disclosures in their annual reports, outlining processes for assessing, identifying, and managing material cybersecurity risks. This includes an assessment of cybersecurity risks affecting business strategy, results of operations, and financial condition.
• Governance Disclosure: Annual reports must disclose any board committee responsible for overseeing cybersecurity risks, along with the processes through which the committee receives information about such risks and management’s expertise in assessing and managing these risks.
• Inline XBRL Tagging: Companies must tag cybersecurity disclosures using Inline eXtensible Business Reporting Language (XBRL), a standardized markup language designed for exchanging and processing financial and business information to enhance the accessibility and transparency of information.

Important Dates

The final ruling outlines different effective dates for various disclosure requirements:

• Annual reports on Form 10-K and Form 20-F: Starting with fiscal years ending on or after December 15, 2023.
• Form 8-K and Form 6-K disclosure requirements: December 18, 2023, for public companies (except smaller reporting companies) and June 15, 2024, for smaller reporting companies.
• Structured data (Inline XBRL) requirements: One year after initial compliance with the related disclosure requirement.

Impact of the SEC’s Ruling on Operational Technology (OT)

The SEC’s final ruling explicitly designates “degradation, interruption, loss of control, damage to, or loss of operational technology systems” as triggers necessitating disclosure. This specific emphasis on OT is not surprising, given the rising occurrence of cyberattacks causing notable material impacts in manufacturing and process industries. While OT is not the primary focal point of the rule, it strongly implies companies should consider it well within the regulatory scope.

Many companies will realize their historical oversight of OT cybersecurity as they align with these new regulations. Neglected without consequences in the past, weaknesses in OT security will now assume a prominent role, emerging as significant concerns. These are not mere vulnerabilities anymore; they are tangible business risks subject to penalty.

However, incorporating complex OT environments into cybersecurity governance is not easy, and organizations will need substantial expertise in OT to build thorough and strong processes and procedures. With growing attention from market analysts and investors on the horizon, this gap becomes even more worrying, as inadequate measures will not hold up against reviews or audits.

Organizations need to actively seek partnerships with vendors and experts specialized in OT for effective preparation. This move is strategic and essential for survival in an increasingly tight regulatory environment. Experts can help ensure compliance and defense against real-world cybersecurity threats to directly protect business interests.

Essential Next Steps for OT in Navigating the New SEC Ruling

With the introduction of the new SEC ruling, organizations managing OT must now focus on several crucial next steps:

• Comprehensive Assessment: Thoroughly assess your current OT systems, processes, and cybersecurity measures. Identify any gaps or vulnerabilities that might expose your organization to risks or non-compliance.
• Incorporate OT in Policies: Review and update your cybersecurity policies and procedures to explicitly include OT systems. Ensure that your documentation encompasses IT and OT environments, as the SEC’s ruling applies to both.
• Gap Identification and Remediation: Use the assessment results to identify gaps in your OT cybersecurity. Prioritize addressing these gaps to align with the SEC’s disclosure requirements. This may involve revising existing security measures or implementing new ones specific to OT.
• Expertise Enhancement: Recognize that the nuances of OT cybersecurity require specialized expertise. Invest in training and upskilling your internal teams to understand OT-specific challenges and solutions. This expertise will be crucial in ensuring compliance and effective protection.
• Partnering with Experts: Consider collaborating with external partners or vendors specializing in OT cybersecurity. Their deep knowledge and experience can help you bridge expertise gaps, design robust protocols, and ensure compliance with the SEC’s requirements.
• Incident Response Plan: Develop a comprehensive incident response plan tailored to OT environments. This plan should outline procedures for identifying, addressing, and reporting incidents that trigger the SEC’s disclosure criteria.
• Efficient Data Collection: Ensure your organization can efficiently collect and report comprehensive data from your OT systems. In an audit or investigation, having readily available data will be crucial in demonstrating compliance.
• Continuous Monitoring: Implement continuous monitoring and threat detection mechanisms for your OT systems. This proactive approach helps identify potential vulnerabilities or breaches early, allowing you to take swift action.
• Regular Audits: Regularly audit your OT cybersecurity measures to ensure ongoing compliance and effectiveness. Regular assessments help you stay ahead of emerging threats and evolving compliance requirements.
• Documentation Maintenance: Regularly review and update your cybersecurity documentation to reflect changes in your OT systems, processes, and policies. This ensures that your compliance efforts remain current and relevant.
• Employee Training: Educate your employees, particularly those working with OT systems, about the implications of the new SEC ruling and the role they play in maintaining compliance. This awareness enhances the overall cybersecurity culture within your organization.

By taking these proactive steps, organizations can navigate the impact of the new SEC ruling on OT cybersecurity effectively. Ensuring compliance, bridging expertise gaps, and fortifying your cybersecurity measures will meet regulatory demands and enhance your organization’s resilience in an increasingly complex threat landscape.

Verve: Your Partner in Navigating the SEC’s New Cybersecurity Rules

As regulations increasingly impact OT, the significance of an adept OT security partner is becoming undeniably paramount. Verve not only provides innovative solutions but also has a team of OT experts with a depth of understanding that spans the unique intricacies and nuances of the industrial sector.

With Verve, you are not just ticking off compliance boxes. You are fortifying your OT cybersecurity stance, preparing for rigorous evaluations, and ensuring your business operations remain resilient in a stringent regulatory landscape.

Here is how Verve can help organizations ensure their OT cybersecurity meets regulatory standards:

Comprehensive Data Collection

Comprehensive data collection supports organizations in assessing, identifying, and managing material risks from cybersecurity threats, a key focus of the new rules. Verve’s data collection from various sources, including endpoints, users, vulnerability databases, and security tools, aligns with the SEC’s requirement to disclose material aspects of incidents.

Contextual Risk Assessment

Verve’s provision of contextual information about asset roles, impact, and operational context supports the SEC’s requirement to disclose material aspects of incidents’ nature and impact on the company’s financial condition. Organizations can use this contextual information to assess and disclose potential risks accurately.

Risk Scoring and Mitigation Recommendations

Verve’s automated risk scoring and actionable dashboards directly apply to the SEC’s emphasis on disclosing material impacts from cybersecurity threats on business strategy, results, and financial condition. Organizations can use our risk-scoring algorithms to prioritize mitigation efforts and provide accurate insights to investors.

Customizable Dashboards and Visualizations

The customizable dashboards and visualizations offered by Verve’s platform are valuable in providing clear and informative disclosures. Just as organizations must develop post-incident monitoring for required annual disclosures, our customizable dashboards can facilitate ongoing monitoring and presentation of incident information.

Compliance Monitoring and Secure Configuration

Verve’s compliance monitoring and secure configuration capabilities contribute to accurate and comprehensive disclosures. This aligns with the SEC’s focus on describing processes for assessing, identifying, and managing material risks from cybersecurity threats.

Integration with MITRE ATT&CK Framework

Verve’s integration with the MITRE ATT&CK framework aligns with the SEC’s focus on disclosing material aspects of incidents’ nature, scope, timing, and impact. This integration helps organizations demonstrate a forward-looking assessment of material impact or likelihood, as required by the definition of “jeopardizes” in the rules.

Agility and Flexibility

Verve’s agile and flexible nature resonates with the SEC’s new emphasis on disclosing material cybersecurity incidents without unreasonable delay. Organizations can adapt the platform to their challenges, ensuring accurate and up-to-date disclosures.

Customer Success Approach and Managed Services Offering

Verve’s proactive customer success approach ensures that organizations receive dedicated support during the critical initial weeks or months after installation and beyond. In addition, our managed services team is highly skilled in the organizational nuance of OT cybersecurity, can help organizations develop effective incident response playbooks and communication channels.

Anticipating the Regulatory Future: Why OT Expertise is Your Business’s Best Asset

The regulatory response will continue to intensify as the cybersecurity landscape rapidly evolves. The SEC’s recent disclosure rule signals the onset of what we can expect to be a series of stringent cybersecurity regulations. This initial directive, while encompassing, doesn’t single out Operational Technology (OT). Yet, it’s clear: the regulatory spotlight on OT isn’t far behind.

As cyber threats magnify, OT will inevitably become central to the conversation. Businesses should act now, rather than react later. To navigate this shifting terrain and anticipate the regulatory waves ahead, partnership with OT-specialized experts is paramount. Verve stands at the forefront of this expertise. By aligning with us, organizations gear up for the present and set a robust foundation for the future, ensuring they remain resilient, compliant, and ahead of the curve in an ever-changing digital world.