Will Smaller Companies Buckle Under the SEC's New Requirements?
Even though the new incident reporting rules create pressure, they serve as a forcing function for building a strong security foundation.
COMMENTARY
The Securities and Exchange Commission's (SEC's) new incident reporting requirements have brought about many questions and concerns among security professionals and government bodies.
One argument is that the requirements are duplicative of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will create more work for already resource-constrained cybersecurity teams.
Another is that a four-day disclosure window is not only too early to determine the impact, but that disclosing sensitive breach information publicly on the heels of a breach could attract bad actors to exploit the vulnerability before it's fixed.
Opinions and speculation aside, the challenges are real:
Data today flows across many companies, systems, and subsidiaries, making the task of distinguishing between victims and perpetrators incredibly difficult.
Determining what "may be material to investors'' isn't always obvious and will require administrative work to figure out.
Establishing communication with business-level executives and the board will become more critical, requiring further education and training.
This is a herculean task for a large company with a chief information security officer (CISO) and a full security operations center (SOC) team; now imagine what it will be like for smaller companies with fewer resources.
As of June 15, smaller reporting companies will be required to comply like a large organization. These requirements could inadvertently cripple companies with penalties, stifling innovation and hindering their growth.
Will startups buckle under the pressure? That remains to be seen. But smaller companies will experience some pain.
Here are steps small organizations can take to mitigate the impact.
Step 1: Get Smart on Top Security Frameworks
First, become familiar with the major frameworks. Fortunately, there are resources that can help an organization prepare.
EU Network and Information Security Directive v2 (NIS2): A directive aimed at achieving a high common level of cybersecurity across the European Union. It updates the original NIS directive to address evolving threats and improve the security of network and information systems. NIS2 provides guidelines for ensuring the security and resilience of critical infrastructure, which is essential for organizations operating in the European Union (EU).
NIST Cybersecurity Framework (CSF): A set of guidelines and best practices to help organizations manage and reduce cybersecurity risk. Widely used in the United States and internationally, it helps organizations align and prioritize cybersecurity activities based on business needs and provides a common language for managing risk.
NIST Risk Management Framework (SP 800-53): This framework provides a process for organizations to manage security and privacy risks, offering a catalog of security and privacy controls for federal information systems and organizations. It helps organizations implement a risk-based approach to security, ensuring that controls are tailored to specific needs.
NIST Guidelines for Protecting Controlled Unclassified Information (SP 800-171): This provides requirements for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It helps organizations comply with federal regulations regarding the protection of sensitive information, reducing the risk of unauthorized access.
ISO/IEC 27000: ISO/IEC 27000: A family of standards for information security management systems (ISMS), including ISO/IEC 27001, which specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It provides a comprehensive framework for managing information security risks, ensuring that information assets are secure.
Center for Internet Security (CIS) Critical Security Controls (CSC): The CIS CSC is a set of best practices for securing IT systems and data, including a prioritized set of actions to protect organizations and data from known cyberattack vectors. It helps organizations prioritize their security efforts by focusing on high-impact areas, improving their overall security posture.
There are also global data privacy regulations frameworks such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Germany's Bundesdatenschutzgesetz (BDSG), and South Africa's Protection of Personal Information (POPI) Act. These are designed to protect personal data by managing how personally identifiable information (PII) is obtained, processed, and stored.
Step 2: Build a Security Team
Building a robust security program from scratch can be daunting, especially for smaller companies. But with strategic planning, it's possible to establish a solid security foundation with minimal resources. Here are some steps to bootstrap a security program:
Cobble together a small SOC team. Hire a senior security leader, an infrastructure security engineer, an application security engineer, and a compliance professional. These roles require experienced pros who can create a security road map, prioritize tasks based on risk, and implement scalable processes. These team members should have the capability to execute crucial elements of the security road map themselves.
Get closer with engineering. If you aren't already in close alignment with your development team, start now. Engineers familiar with the product can identify security gaps and improvement opportunities. This is vital for integrating secure practices throughout the software development life cycle, addressing penetration test findings, and adding customer-facing security features. Although resource constraints at startups make this challenging, demonstrating how early security interventions save time can help gain the necessary commitment.
Automate, automate, automate. Look for simple ways where automation can streamline security processes — from infrastructure monitoring and auto-remediation to code analysis and vulnerability management. By automating, startups can integrate security seamlessly into every process, which not only improves security but also conserves engineering time.
Try open source. While open source security tools eliminate license fees, they require time for implementation and configuration. For startups with small teams, choosing tools that vendors can deploy and manage might be more beneficial, ensuring that security enhancements are practical and cost-effective.
Cover risk and vulnerability management basics. Most breaches are related to known vulnerabilities and human error. Ensuring good attack surface visibility, scanning all assets, and meeting reasonable service-level agreements (SLAs) for critical security gaps are extremely important. These steps provide a starting point for smaller companies to navigate the new incident reporting rules. Even though the requirements create pressure, they serve help build a strong security foundation.
While there is no silver bullet, these provide a starting point for smaller companies to navigate the new incident reporting rules. Even though the new requirements create pressure, they serve as a forcing function for the inevitable: building a strong security foundation.
About the Author
You May Also Like