In today’s increasingly connected world, digital technology is impacting how business is conducted, while adding innovative value to an organization’s products and services. The level of interconnectedness, however, exposes corporate issuers to an increased level of information security-related risk.
To mitigate these risks, strong cyber governance and information security oversight is critical to the well-being of an organization. Having top security oversight should reduce a company’s potential risk of harmful economic outcomes. Since cybersecurity breaches can cause widespread damage to a company’s operations, organizations are working to establish more comprehensive reporting of mitigation efforts.
In July 2023, the US Securities and Exchange Commission (SEC) set forth new rules that requires public companies to disclose their information security risk management strategies and governance practices annually. While the rules don’t take effect until December 5 2023, companies are making moves now to adhere to the new SEC rules. Additionally, they should report any material cybersecurity incident quickly. In light of this new reality, organizations should consider how to both comply with the new rules and how to best demonstrate information security governance.
Companies increasing reporting efforts
Signaling to stakeholders that they’re making an effort to manage cybersecurity threats has become important to companies in advance of the SEC rules. Looking at S&P companies surveyed by the Institutional Shareholder Services (ISS), more than 80% of companies include details regarding both the risks and methods used for mitigation.
More and more companies are choosing to indicate that they have implemented an information security training program with nearly 85% of the S&P 500 making such disclosures, which is a significant increase over the past two years. In 2021, just 57% of S&P 500 companies disclosed such programs and 75% in 2022.
Another indicator of a company having a cybersecurity training program is the presence of information security risk insurance. Companies may be less inclined to report this as it can be an indicator of vulnerability to cybercriminals. However, there is not a lot of strong evidence to suggest that companies are impacted for revealing the existence of risk insurance, according to ISS. While nearly 67% of S&P 500 companies have disclosed that they have information security risk insurance as of September 2023, most companies remain underinsured given the scale of exposure.
Cybersecurity breaches and non-material breaches
Organizations that experience a cyber breach must comply with the new SEC rules that compel companies to disclose the information quickly — generally within four days. Disclosing these breaches not only provides stakeholders with information on a company’s cyber posture, but also provides investors with information necessary to assess the impact.
While the new SEC reporting rules take effect on December 5, organizations disclosing breaches have increased and continue to do so. More than 30% of S&P 500 companies have disclosed either a material or immaterial breaches within the past three years.
However, a majority of organizations in S&P 500 companies did not indicate whether any breach occurred and it’s unclear whether the lack of reporting is due to the lack of breaches. The new SEC rules should provide more clarity with more complete and accurate disclosures.
Securing IT, OT and other connected technologies
Due to the rise of cyberattacks, cybersecurity posture must go beyond reporting and identifying the breaches. It requires specialized solutions designed with advanced security controls such as unified visibility of all assets, detection of anomalies and threats and comprehensive security measures for protection against cyber breaches.
Tracking IT and OT devices in various organizations is complex and requires a deep understanding of a company’s network, connectivity, technology and proper control and visibility of the OT and IT landscapes. HCLTech’s 360* SecureOT is a solution designed to address the dynamic, complex and evolving nature of OT/IT and IoT cybersecurity requirements.
The solution offers in-depth visibility that enables real-time passive and autonomous monitoring of all connected systems and data flow. The architecture is also designed to help organizations adhere to industry standards and regulatory compliances such as ISA/IEC 62443, NIST and NERC CIP.
As the threats to organization’s networks continue to grow, companies that are forward looking on information security will have the best chance of improving their cybersecurity posture. Many companies and stakeholders alike can benefit from disclosure of cybersecurity incidents by finding areas of improvement as a result.