SEC Rule on Risk Transparency: How to Mitigate External Risk

No one ever said Cybersecurity was easy, and now let’s add this summer’s fun…. implementing new SEC rules to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.  As part of the rule which took effect the end of August, Regulation S-K Item 6 will require registrants to:

  1.  Describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. 
  2. Require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing risks from cybersecurity threats. 
  3. Disclosures will be required in a registrant’s annual report on Form 10-K.

Understanding the SEC’s new cybersecurity disclosure rules

While this may seem daunting, implementing proactive cybersecurity programs to address strategy derived from risk may not be as hard as you might think.   

The key is finding the right partner to answer your needs, not just regulatory but operationally.  

You have three choices under the new ruling or when addressing risk: 

  • Wing it and gamble to see if the risk was worth the potential savings in time and money
  • Challenge your current inhouse teams and vendors to address and reduce the risk 
  • Look for new vendors to address these growing areas

Your options under the SEC’s cybersecurity disclosure Rules

Why this  ruling? 

Companies feel they can ignore risk, not address issues they can correct and not be held liable.  The SEC response is this is not acceptable and transparency is required.  This ruling has now increased liability to the board and company to identify and publish risk but also how it will be addressed or ignored.  Feeling like they are forcing our hand at addressing risk? 

Yes they are and for good reason. Ignorance is not bliss, we owe it to our shareholders, clients and the public to recognize our risk areas in our cyber ecosystem and address them. While one vendor cannot cover all risk areas, addressing the increasing risk derived from your external attack surface can save you time and money in the long run while addressing these SEC requirements. This is where an EASM solution like CybelAngel can help identify the critical vectors of attack, reduce risk, consolidate your tool stack, address SEC concerns and save money in the long run.

Mitigating cybersecurity risks: How CybelAngel’s EASM solution can help

The increased risk of data breaches, vulnerable assets, phishing attacks, exposed credentials and shadow IOT coming from you third party vendors, remote employees or even other business units are on the rise.  Addressing these threats and attack vectors proactively will reduce your risk, obviously.

Awareness of areas which increase your exposure will allow you to identify, prioritize, address, and mitigate.  Saving time and money. Reaction to, mitigation of and damage caused by a data breach, ransomware attack or network penetration will cost you 10x or more versus using a low cost, high value vendor like CybelAngel.

In addition, current clients of CybelAngel are already prepared to report to the SEC and in their annual reports:

  • Threats coming from the external attack surface are identified and addressed via a robust and proven vendor.
  • Supply chain, third party vendors and remote workers are addressed and secure.
  • Overall risk has been reduced and we are saving costs on response and recovery.

To learn more about the scope of cybersecurity in 2024, as well as future deep dives into the security issues that plague CISOs keep an eye on CybelAngel’s blog for the latest trends and insights.