Total Security Advisor
Practical Security Tips, News & Advice.
Updated: Jan 26, 2023
The new U.S. Securities and Exchange Commission (SEC) rules set to come into play in the spring of 2023 will force listed companies to report their cyberattacks to core stakeholders, such as investors, customers, and regulators. The 2011 interpretive guidance released by the Division of Corporation Finance was reinforced and expanded on by the SEC in 2018.
Although disclosures and governance surrounding cybersecurity have improved since then, disclosure practices have been deemed inconsistent and another revamp of the regulation has been called for. This follows the fallout of the war in Ukraine, which has radically spurred on the expanding cyberthreat landscape and has resulted in an increase of nation-state cyberattacks, with average weekly attacks per organization worldwide reaching over 1,130.
This new SEC proposal would require regular reporting on material cybersecurity incidents on Form 8-K. It would also demand periodic disclosures regarding, among other things, a registrant’s policies and procedures to identify and manage cybersecurity risks as well as a summary of the management’s role in implementing cybersecurity policies and procedures. The board of directors would also be expected to detail their cybersecurity expertise, if any, and their oversight of cybersecurity risk. Regular updates about previously reported material cybersecurity incidents would become standard practice, with these cybersecurity disclosures ultimately being presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The proposed amendments are designed to better inform investors about an organization’s cyber defensive capabilities and provide prompt reporting of material cybersecurity incidents. An increase in cyber laws and legislation would therefore intensify pressure on organizations to enhance their communication with customers and investors regarding the safety of their data and the measures they are taking to defend themselves from an inevitable cyberattack. The SEC’s introduction of mandatory disclosures will force companies to disclose exactly how they are safeguarding information and therefore investments; knowledge which the SEC believe customers and investors are entitled to.
The proposed legislation would require organizations to disclose a cyber incident within four business days of a breach, as well as more general periodic reporting, providing updates about previous cybersecurity incidents as well as information about the company’s preparedness. The aim: to hold businesses accountable for the preparedness of their security program and their security against adversary attacks.
The legislation has, however, resulted in outcry and demands for withdrawal from Fortune 100 companies, as they fear the regulation will incur adverse consequences on shareholder price and stakeholder demand. When breaches leak highly sensitive information like credit card or Social Security numbers, share prices drop by an average of 22%. The SolarWinds campaign, classified as an espionage operation, was significantly harmful to corporate stock price, causing it to fall by over 60% at the time. Although continuous, comprehensive, and effective cybersecurity practice is crucial from a customer and financial perspective, many businesses are still unaware of the measures they can implement to mitigate risk and protect their critical infrastructure.
On Feb. 24, 2022, the Viasat satellite network was the marquee cyber hack of the war. It was undertaken by Russian military intelligence with the aim of ultimately degrading communications and disrupting connectivity in several European countries. A new report by Microsoft also observed that in the cyber-threat landscape between July 2021 and June 2022, the proportion of cyberattacks perpetrated by nation states targeting critical infrastructure jumped from 20% to 40%, largely due to Russia’s heavy attacks on Ukraine’s critical infrastructure.
Although this may seem like a problem distant from the shores of the commercial sector, cyberattacks are the biggest risk facing businesses in 2023. With the evolution of technology such as artificial intelligence and quantum computing, the risk of cyberattacks on the commercial sector rises every day. Ransomware gangs have already reacted by shifting their focus to Europe. In the first half of 2022, there were 63% more attacks on European organizations than in the previous six months. In the U.S., the losses from hacking incidents were up 64% year-over-year.
Cybersecurity best practice and disclosure is now a necessity within every business or organization which conducts its operations online. The increase in cyber regulation will ensure that companies are implementing effective strategies across the whole of their systems to protect against hacking. These proposed changes would force companies to provide evidence that they are making constant improvements to ensure the protection of their networks and servers. Having disclosed a previous cyber breach, companies would then be expected to provide an update on how they are tackling the problem to ensure customer data safety and decrease the risk of an attack in the future. As this information must be divulged within 96 hours after the event, organizations need to have answers quickly.
By investing in advanced military specification cyber defense strategies like cyber ranges, companies can test their defenses to failure and mitigate risk. Now more than ever, governments, nation states, and enterprises are under pressure to deliver battle-ready cybersecurity in the wake of the Ukraine war. Cyber ranges have become instrumental in protecting vulnerable systems, particularly critical infrastructure. Inside NATO’s Cyber Range, armies are preparing to defend against nation-state attacks, launching the same tactics, techniques, and procedures implemented in high-profile attacks within a high-fidelity replication of their systems.
Similarly, businesses in 2023 need to be able to test and safeguard their data to avoid large-scale attacks. By investing in cyber range technologies, businesses can upgrade their capacity to test, evaluate, and report on the effectiveness of their defensive tools, including their people and processes. The ability for organizations to protect their systems against an attack prior to the event means they will be well poised when their resources are put to the test. If businesses test their cybersecurity within a safe and simulated environment, they can better understand how effective their current defensive tools are and where their cyber capabilities end.
As cybersecurity risks increase, broader regulations are necessary to combat the growing threat landscape. At present, 85% of cyberattacks are hidden by companies and cybercrime costs are expected to grow by 15% over the next five years, reaching $10.5 trillion annually by 2025.
As organizations are increasingly falling victim to these malicious cyberattacks, regulatory bodies have now awoken to the importance of cybersecurity requirements for companies. The goal: to ensure businesses are doing everything in their power to assess, monitor, and stop these attacks in their tracks.
With the new SEC rules fast approaching, companies should be taking the initiative to detect, identify, and secure their infrastructure, mitigating the risk of data leaks and cybercrime that could prove crushing to their bottom line. Organizations are facing the same threats as their nation state counterparts, targeted by nation state-backed entities attempting to exfiltrate sensitive data and advance a cyberwar that is already transcending geographical boundaries.
These proposed SEC regulations would enable governments to get a better handle on the magnitude of the current threat landscape. Incident disclosure can also help companies and governmental organizations identify malicious activity on their networks. However, businesses must utilize this opportunity to convince investors and customers that they are doing everything within their power to avoid, protect, and defend against attacks.
Cyber ranges can provide empirical evidence to customers that organizations are regularly testing and advancing their systems to combat the latest threats. Examining the efficiency of your people, processes, and technology through cyber ranges is essential for organizations to thwart attackers and support businesses in managing their cyber risks. The use of an effective cyber range would also ensure that businesses are adhering to regulatory standards, whilst simultaneously reassuring customers, shareholders, and investors.
William Hutchison is CEO of SimSpace, a cybersecurity solution provider for enterprises, governments, and critical infrastructure.
Download this free report to learn seven steps to protect your facility from workplace violence.
This report is sponsored by the Total Security Summit, an event specifically organized for VPs, Directors, and Managers of Security who are directly concerned with their facility’s security and safety operations.
The Security Industry Association (SIA) announced a major milestone in its SIA OSDP Verified initiative – that over 100 device models have been named OSDP Verified through the comprehensive program, which validates device conformance to the SIA Open Supervised Device Protocol (OSDP) standard. SIA OSDP standard is an access control communications protocol standard maintained by SIA to improve interoperability, add […]
GXO Logistics, Inc., the world’s largest pure-play contract logistics provider, announced that it has deployed advanced air and ground security robotics at one of its major distribution centers in Clayton, Ind., and plans to significantly increase deployment of automated security systems across other sites within the next year. This would be the largest air and […]
The Security Industry Association (SIA) is pleased to announce the first members of its Utilities Advisory Board Steering Committee. SIA created the Utilities Advisory Board to offer insight and education to security practitioners, members of the security industry and other stakeholders about emerging security trends, regulatory compliance issues, and recommended practices for protecting utility infrastructure. The steering committee members, […]
SILVER SPRING, Md. – The Security Industry Association (SIA) has named Alice DiSanto the 2022 recipient of the SIA Committee Chair of the Year Award, which recognizes individuals for excellence in leading SIA committees and advancing member objectives. SIA will present DiSanto with the award at The Advance, SIA’s annual membership meeting, which will be held March 22 during […]
ISC West, in collaboration with premier sponsor Security Industry Association (SIA), continues to experience steady growth for the upcoming event, and will be taking place just less than two months away on March 22-25, 2022 at the Venetian Expo in Las Vegas (SIA Education@ISC: March 22-24 | Exhibit Hall: March 23-25). After initial reports of […]
Our world is full of threats both external and internal. This whitepaper encourages looking at life safety and security measures on your campus from another perspective. Most facilities have addressed access control and the securing of main doors, but those should be measures of last resort. There are steps you can take — some that you may not have considered — to mitigate the threat before it arrives at your front door.
The 2019 Total Security Salary Guide is here to help physical and technical security employers and employees understand where they stand in today’s security job market. This Salary Guide includes not only salary and wage data from 2017 to 2018, but also certification information as it applies to 20 benchmarked exempt and nonexempt security positions.
A proliferation of cameras has resulted in an overwhelming amount of video available to security operators, analysts and investigators. Technology that used to be prohibitively priced, is now cheap and readily accessible.
Learn how to protect your people, assets and physical spaces better with AI-powered solutions that deliver whole-building security.
