The rule requires public companies to report material cybersecurity incidents and annually report on elements of their cybersecurity risk management and strategy. Companies that are publicly traded on a U.S. stock exchange must comply with the rule’s cyber risk management and material incident disclosures starting in mid-December 2023 (or Spring 2024 for qualifying small companies). Let’s explore how the new SEC rule is affecting the role of the CISO and how security leaders should approach cybersecurity regulatory developments.
How Cybersecurity Regulation Impacts the CISO
The importance of the CISO role is on the rise. In any well-run security program, the CISO will have a growing relationship and set of touchpoints with the CEO and board. This only becomes more critical with regulatory developments like the new SEC rule, as CISOs are required to respond to incidents and report them up the chain of command.
New regulations give CISOs more guidance and requirements to track. There’s a general trend toward transparency that CISOs will want to keep in mind, and make sure is internalized to their organizations.
CISOs Don’t Need to Be Anxious
ProofPoint’s annual Voice of the CISO report indicated that “62% of CISOs were already concerned about potential liability in connection with incident response and corporate governance issues.” Adding the changing responsibilities under the SEC rules, CISOs might think there is reason to be increasingly anxious.
I’m optimistic that some of the new regulations can be helpful to CISOs and should reduce anxiety, not inflame it. The new SEC rule, for example, is prescriptive about when a material cybersecurity incident must be reported. This provides more clarity where before there was very little.
Clarity plays a key role in holding organizations accountable for accurate cybersecurity reporting. An organization that isn’t committed to security transparency (which in all honesty is most organizations) might be tempted to not disclose if the reporting requirements are not particularly clear. Legal or PR teams may default to a non-disclosure recommendation, which can be uncomfortable for a CISO. The SEC rule will be more prescriptive in these situations, and hopefully more upcoming clarity will follow suit.
As a CISO, Here’s How I Respond to New Regulation
As HackerOne’s CISO, I evaluate all new regulation through two different lenses:
- How will this affect HackerOne’s products and customers?
- How will this affect the HackerOne security program?
For customers, I’m always striving to make sure that HackerOne’s offerings are aligned with regulations and standards. For example, the new NIST control relating to vulnerability disclosure has some interesting specifics, such as the publicity of the VDP, the assets in scope, and methods of reporting, and I’ve made sure HackerOne’s products and delivery are aligned. Also, our Gold Standard Safe Harbor is exactly that – Gold Standard and informed by best practices worldwide.
For HackerOne itself, I keep on top of relevant regulations and standards to make sure our security program is compliant. Fortunately, HackerOne already runs a very high-quality and progressive security program. When new transparency requirements are introduced, I celebrate because we already have the maturity required to run a transparent program. We already disclose many security details even though no regulation requires us to do so. This builds trust with our customers that we’re sharing information and practicing what we preach.
There’s also a trend toward scrutiny of how the CISO interacts with the CEO and board. In many companies, it’s somewhat of an afterthought, but at HackerOne, we already formally present our suite of security risks to the CEO at least four times a year and to our board at least twice a year. We have a board committee, our Cybersecurity and Technology committee, populated by experts in the field, that is dedicated to the topic of risks from cybersecurity and our technology stack.
Recommendations for CISOs Amid New Cybersecurity Regulation
Here are some recommendations for helping your public company address key elements of the SEC’s new cybersecurity rule and what may be similar features of future regulation, as well.
- Cybersecurity Incidents: Reevaluate existing processes surrounding the disclosure of material cybersecurity incidents to ensure it includes necessary information and is disclosed within the time parameters, which for the SEC rule is four days.
- Risk Management: CISOs should help their public company report annually on their established cybersecurity risk assessment program, which includes engagements with third-party service providers and their connection with cybersecurity risks.
- Board Oversight: Along with the CISO's role in assessing and managing cybersecurity risks, be prepared to formalize the board’s oversight of risks and the processes by which the board or committees are informed of cybersecurity risks.
- Proactive Cybersecurity Measures: If they weren’t already, CISOs should invest in proactive measures that identify and remediate cybersecurity risks, such as bug bounty programs, Pentest as a Service (PTaaS), and security advisory services (SAS).
To learn how HackerOne can help CISOs ensure their organization is prepared for new cybersecurity legislation, contact our expert team today.