How to Navigate Cybersecurity Regulations

🔒 Cyber GRC: Essential Steps in Light of SEC Cyber Rule, NIST CSF 2.0, and CISA CIRCA 🔒 In today's dynamic digital landscape, managing cybersecurity goes beyond merely protecting systems. It's about Cyber GRC (Governance, Risk, and Compliance)—a comprehensive approach to aligning cybersecurity measures with business strategy, mitigating risks, and ensuring compliance with regulations. With the recent SEC Cyber Rule, NIST CSF 2.0, and CISA CIRCA, Cyber GRC's importance has reached new heights. Here's how you can leverage Cyber GRC to stay ahead: Governance: Establish a robust cybersecurity governance structure that sets clear policies and responsibilities. Define how your organization's cyber strategy aligns with business goals and industry standards like the NIST Cybersecurity Framework (CSF) 2.0. Risk Assessment: Regularly evaluate cyber risks to identify vulnerabilities and potential threats. Incorporate CISA CIRCA guidelines to manage cyber incidents effectively, minimizing business impact. Compliance: Ensure adherence to the new SEC Cyber Rule, which mandates disclosure of cyber incidents and proactive measures to safeguard data. Keep up-to-date with evolving regulations to maintain compliance and avoid penalties. Incident Response: Develop a comprehensive incident response plan, integrating guidance from CISA CIRCA and NIST CSF 2.0. Test and refine it regularly to ensure swift action when needed. Continuous Improvement: Cyber GRC is an ongoing process. Monitor performance, conduct audits, and adapt strategies to address emerging threats and regulatory changes. By integrating Cyber GRC into your organization's DNA, you can navigate the evolving cyber landscape confidently. This holistic approach safeguards against risks, maintains compliance, and ensures your cyber strategy supports business growth. How is your organization adapting to the new regulatory landscape?

Last year, the Securities and Exchange Commission (SEC) passed the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” regulation. CISOs, security vendors, legal firms, consultancies, and advisory firms have primarily focused on one of the four aspects of this regulation: Incident Disclosure But there are three other elements to be addressed on an annual basis for US public registrants: Risk Management Strategy Governance CEOs and CIOs - These three elements involve management and the board of directors, not just CISOs. After reading 45 recent 10-K submissions, I want to note some observations to raise awareness. For those who aren’t intimately familiar with how the regulation process worked, my personal observation is that – in spirit – the SEC may have thought of Sarbanes-Oxley (SOX) as an example when drafting the regulation.   The requirement for SOX is for CEOs and CFOs to certify, evaluate, and disclose critical information… it doesn’t state that a VP of Finance reporting to a CFO, who in turn reports to a CEO, should certify, evaluate, and disclose critical information. I draw this analogy because most public entities have CISOs that do not directly report to a CEO. Some companies even lack a CISO by title, making it even less clear that they are “management” in the way that one might interpret the SEC language. Put more plainly, when the SEC states, “Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise” I think that a reasonable investor might question why only the CISO is mentioned by title in many of the recent 10-K section 1C filings. Why not the rest of the responsible management team, where applicable? CEOs, CIOs, and board members might consider reviewing the language of the annual SEC requirement to ensure sufficient detail is provided in writing to meet the intention of the regulation. #ceo #cio #riskmanagement #corpgov #cybersecurity

New U.S. Securities and Exchange Commission rule adds a significant layer to the security governance landscape for publicly traded companies. Key Elements: —Material Cybersecurity Incidents Disclosure: Companies are obligated to report any material cybersecurity incidents under new Item 1.05 of Form 8-K within four business days following the company’s determination of the incident's materiality. This mandates organizations to quickly assess the severity of any cybersecurity breach and report it in a timely manner. —Annual Disclosure of Cybersecurity Risk Management and Strategy: The new rules, reflected in Item 106 of Regulation S-K, impacts annual disclosures and will require companies to provide more detailed insight into their cybersecurity risk management and strategy, including their processes for managing cybersecurity threats, and whether these threats have had, or are likely to have, material effects on the company. —Cybersecurity Governance: Companies are required to provide further details in their annual reports about oversight of cybersecurity risks by the board and management and how they are managing these risks at different levels of their organizational structure. Key Dates: —December 15, 2023: Companies must make the disclosures required under Regulation S-K Item 106 (and comparable requirements in Form 20-F) about cybersecurity beginning with annual reports for fiscal years ending on or after this date. —December 18, 2023: SEC begins enforcement of Form 8-K disclosure for cybersecurity incidents, other than smaller reporting companies (SRCs). —June 15, 2024: SEC begins enforcement of disclosure for cybersecurity incidents for SRCs. These strict enforcement timelines may put pressure on companies to review their current cybersecurity programs to protect against any vulnerabilities public disclosure may expose, and to ensure compliance with disclosure procedures. Need assistance? Reach out to the Cybersecurity and Data Privacy team at Buchanan Ingersoll & Rooney PC — https://lnkd.in/gyNJQ-PP #cybersecurity #cyberlaw Alison King Alex Keedy BLACKOPS PARTNERS Adrienne Chase, CSW, EJD, CHC, CHPC, CCEP Chris H. Chuck Brooks Dan Lohrmann Kurt Sanger Scott M. Angelo Cyber Security Forum Initiative The Cyber Guild