Steer Clear of the Iceberg: Navigating the Waters of New SEC Cyber Regulations
Discover how enterprise companies can get ahead of SEC regulations with data management.
Amer Deeba, Co-founder and CEO of Normalyze dives into the challenges of data breach revelation amid rising cyber threats. Discover insights and strategies to stay compliant.
According to Cyber Warfare In The C-Suite report, with data breaches expected to cost the global economy $10.5 trillion annually by 2025, the urgency for stringent data protection has never been more critical. Case in point, 2024 is already shaping up to be the “year of data breach disclosures,” with over 650 publicly disclosed data breaches in the U.S. tracked in 2024 thus far – a number that outpaces the 2023 Q4 monthly average.
The disclosure surge follows the SEC’s updated incident disclosure rules, where public companies must disclose “material breaches” within four days of determining they are material. Consequently, organizations are updating their incident response plans based on the industry’s shifting interpretations of the regulation.
Companies are investing in more effective methods of gauging the extent of their breaches – where they previously detected only “the tip of the iceberg” for a breach’s full impact, we’re now seeing a thorough assessment.
Re-evaluating Regulation
Publicly disclosing a breach can harm an organization’s reputation, causing customers and employees to flee while harming prospective customer or partner engagements. For this reason, organizations strive to accurately assess a data breach through various factors, including the number of individuals or entities impacted, the time it will take to remediate the issue, and legal disclosure requirements mandated through myriad state and federal laws.
In January 2023, the SEC’s regulations cut through the clutter by providing more concrete measures and raising the stakes for breach disclosure. However, given the short reporting timeframe, organizations are challenged to define what qualifies as “material,” the trigger dictated by the SEC, and adopt best practices to control the breach impact and implement remediation faster.
Tip of the Iceberg
When a breach is discovered, organizations are often limited in what they know – how much information was compromised or even if the cyber attack is still underway. They might only see the tip of a large iceberg regarding overall impact.
Without full knowledge of a breach, organizations are tasked with continuously updating key audiences as they know more, bringing repeated attention to the breach, and attenuating whatever is left of their credibility. Further, companies can come back months after a breach with new data that showcases significant updates to the actual numbers of customers affected by an attack. We see this repeatedly and since the infamous series of Yahoo data breaches – the iceberg phenomenon is at the forefront of corporate attention.
The iceberg phenomenon makes data breach disclosure regulation challenging in two ways.
First, organizations cannot immediately judge the materiality of an incident. To evaluate an incident, companies need specific parameters on what they deem as “material” data breaches, including how the data breach affects shareholders immediately and long term. According to the SEC, if the breach impacts an organization’s valuation to the typical investor, it’s considered material. The objective is to ensure that shareholders have timely information for their decision-making, but it also puts pressure on security leads to be precise in their evaluation.
The SEC pushes companies to adopt a “deliberative process” in assessing an incident’s materiality. Insights drawn from the Harvard Law School Forum on Corporate Governance underscore the balance between promptness and thoroughness in response to cybersecurity incidents. The regulation update allows companies to make more informed decisions without rushing, enhancing the quality of disclosures and preventing unreasonable delays in determining an incident’s materiality.
Without knowing what the “iceberg” looks like, it’s hard to understand the true impact of a breach. If the security team sees only the tip of the breach iceberg, they may incorrectly determine a material breach to be not material. This puts the organization at risk of sanctions from the SEC for not performing proper due diligence in their materiality assessments.
Second, without knowing the full extent of a breach, organizations cannot know how to remediate the breach and its impacts. Companies would prefer to know precisely what happened fully and have a clear path to remediation before disclosing the breach widely.
The SEC regulation forces companies to come clean early, regardless of readiness and understanding of how to address the problem. However, if organizations aren’t able to see the full extent of the breach, they cannot form a remediation path that would provide confidence to all parties
See More: 3 Tips to Navigate the Risk of CCPA Data Non-Compliance
Rush to Respond
The newfound focus on data breach disclosure requires enterprises to dedicate both effort and budget to support transparency around cybersecurity risks by implementing best practices, assuring shareholders that their company’s most valuable asset – data – is protected.
Companies can better understand the extent of a data breach and develop a remediation plan by knowing exactly where data resides and who can access it. This requires complete visibility into where data lives, the context around the sensitivity of that data, and how to ensure it stays protected.
Visibility provides security practitioners with the ammunition they need to determine materiality in a timely manner by anchoring on the monetary value of a breach to adequately prepare and, more importantly, respond to a data breach. Visibility also empowers security teams to proactively and primarily remediate where the breach has the largest business impact.
Getting Ahead of Data Breach Disclosure
The SEC regulation has transformed the state of breach disclosures and cybersecurity liability.
The updates have broader implications than other regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and proposed SEC regulation updates for public companies. Regulation updates stress the importance of transparency and quietly handling ransom demands while outlining how companies should proactively engage in rule-making processes to refine their cyber-crisis management programs. These measures enhance an organization’s overall cyber-defense posture for greater cybersecurity transparency across various sectors, thereby contributing to a more secure digital ecosystem.
That said, the pressure to disclose data breaches has increased significantly, with organizations seeing legal pursuit from the SEC. If (and when) a breach occurs, organizations must prioritize avoiding the iceberg phenomenon altogether. The SEC’s regulation forces organizations to take a more proactive approach to data security, underscoring that data protection has evolved from a mere checklist item to an absolute necessity.
Data protection strategies start with the basics— understanding exactly what data you have, where it lives, and the level of risk. Solutions such as data security posture management (DSPM) tools allow organizations to get ahead of regulation by taking a data-first approach to proactively and effectively securing an organization.
This approach allows IT leaders to critically examine their data across all sensitive locations, seeing when a breach occurs, determining its materiality, and disclosing it in a timely manner. Companies are investing in DSPM tools to avoid the nightmare of the iceberg phenomenon and get ahead of the SEC’s pursuits.
As we continue to evolve technologically, security teams must not be complacent with the security tools they already have in place. Technological innovation means staying ahead of regulatory requirements and safeguarding against future breaches. This is accomplished by prioritizing a protection plan that puts data itself at the center for the best interest of the company, its shareholders, and, of course, data.
Why is SEC compliance paramount in today’s cyber landscape? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON DATA COMPLIANCE
