Tag Archives: cybersecurity compliance

The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.

The Evolving Landscape of Cybersecurity Compliance in North America

Blogs - The Evolving Landscape of Cybersecurity Compliance in North America

Cybersecurity compliance is a non-negotiable for organizations in a largely digital world. Without it, you could face severe financial penalties, damaged brand reputation, loss of customer trust, and detrimental operational disruptions. 


Whether you’re operating in the U.S., Canada, or Mexico, you want to remain compliant with your respective country’s regulations. After all, understanding the ever-changing regulatory trends in North America is essential for ensuring optimal security — and avoiding severe repercussions. 


This article will offer an in-depth exploration of the current cybersecurity compliance trends, North America’s unique regulatory landscape, potential upcoming changes, and how automated cybersecurity solutions are essential for maintaining compliance. 

North America’s regulatory landscape

The United States doesn’t have federal laws that regulate the collection and use of personal data. Instead, the U.S. has a multifaceted system of state laws and regulations that often overlap and contradict one another.


For example, California has the California Consumer Privacy Act (CCPA), which grants California residents novel rights regarding their personal information and affects companies across the United States that do business with Californians.


Rather than federal regulation, the U.S. allows each industry to regulate privacy. For instance, the Health Insurance Portability and Accountability Act (HIPAA) protects health information, while the Gramm-Leach-Bliley Act (GLBA) governs financial institutions.


In contrast, Canada has PIPEDA at the federal level, setting the baseline for how businesses handle personal information. 


Interestingly, numerous provinces also maintain their own privacy statutes, mirroring PIPEDA quite closely. It’s worth mentioning that Quebec, Alberta, and British Columbia stand out with their own private-sector privacy legislation, acknowledged as being largely akin to the federal mandate.


These regulatory landscapes force companies to plan and implement their cybersecurity strategies — because non-compliance could result in fewer sales and significant penalties. 


However, regulation laws aren’t static and are set to undergo changes. Artificial intelligence (AI) and machine learning (ML) pose a significant threat, prompting regulators to reassess current conditions and potentially create new ones. 

The comprehensive guide to cybersecurity compliance trends

In 2023, the trend in the cybersecurity landscape is toward an escalating wave of cybercrime, amplified vulnerabilities in open-source code bases, and an increased focus on human-centered design and board oversight. Amid this landscape, there’s a shared consensus: an organization’s cybersecurity strategy must balance people, processes, and technology.


AI and ML have taken center stage in 2023, and this trend extends into the cybersecurity landscape as the integration of AI and ML becomes commonplace. The International Data Corporation (IDC) attributes the impressive growth of the cybersecurity market to these technologies, with spending projections to hit $46.3 billion by 2027. But, alongside their benefits, AI and ML can be exploited by threat actors to identify and target vulnerabilities.


This creates an environment where AI and ML are double-edged swords. While these technologies enhance predictive analytics, facilitating faster and more efficient threat detection, they’re also used by threat actors to identify and exploit vulnerabilities. 


Additionally, open source vulnerabilities continue to pose a significant threat with at least one vulnerability found in 84% of code bases, according to Synopsys


This underlines the importance of regular penetration testing and effective patch management. Using a Software Bill of Materials (SBOM) can help organizations keep track of their software components and update outdated open-source components, mitigating their exposure to potential cyber threats. 


However, to navigate these advancements and vulnerabilities, compliance with trending regulations like Cybersecurity Maturity Model Certification (CMMC), the Directive on Security of Network and Information Systems (the NIS Directive), and the Zero Trust model are crucial. They guide organizations to secure their infrastructure and manage cyber threats adequately.


For example, the CMMC (a requirement for all Defense Industrial Base (DIB) and Department of Defense (DoD) contractors) ensures that these entities have sufficient security controls in place to protect sensitive data. This compliance regulation safeguards national security while also elevating the baseline level of cybersecurity measures. Likewise, the Zero Trust model is a proactive stance against data breaches, focusing on minimizing uncertainty — a growing trend for 2023 and beyond. 


On the other hand, the European Union’s NIS directive provides legal measures for high-level security of network and information systems. It facilitates increased collaboration between EU member states and promotes a culture of risk management and incident reporting.


Lastly, accounting and financial data have been attractive targets for cyber attackers. In the past 12 months, 34.5% of executives reported that their organizations’ financial data were targeted, with 22% experiencing at least one cyber event. The same poll also found only 20.3% of their accounting and finance teams work closely with their peers in cybersecurity, suggesting a disconnect that could increase vulnerability to attacks.

The inevitable changes to cybersecurity regulations

The imminent changes in cybersecurity regulations carry consequences for registered investment advisors (RIAs), funds, and publicly traded companies. The U.S. Securities and Exchange Commission (SEC) is inching closer to cementing new regulations that could shake up these groups significantly, especially considering that fewer than one in five companies (20%) are equipped to handle cyber risks.


The new rules coming into place have three main parts: written plans for handling cybersecurity risks, reporting and disclosing cyber incidents, and using specific formats for reporting data. These parts are going to need a good understanding and detailed planning to comply with.


Luckily, plenty of companies like Findings offer a similar, more comprehensive service. For example, Findings helps businesses make and review their cybersecurity assessments each year. 


Findings also helps businesses outline what a cyber incident looks like, set up practices for reporting them, and come up with a clear plan to protect against cyber threats and handle any incidents that do happen.


While these new SEC rules mainly affect financial and publicly traded companies, all organizations need to pay attention. Beyond just avoiding fines and penalties, having strong cybersecurity practices (e.g. ones that involve automation, AI, and ML) helps build trust with stakeholders.

The role of automation in building a cyber-resilient future

To stay ahead in cybersecurity, organizations are now leveraging automation for a more efficient and agile approach to risk assessment and management.


Automation enables faster, error-free decisions. It delivers real-time threat information, which empowers security teams to effectively manage threats. Not to mention, the systematic organization of data reduces the time between threat detection and mitigation. 


Additionally, automation helps harmonize data and collaboration within organizations. A centralized platform for data collection ensures consistent information across all departments, eliminating discrepancies and enabling effective collaboration. 


With accurate and comprehensive information at their fingertips, executives and managers can make better-informed decisions — improving cyber risk management strategies.


As organizations aim to protect their assets and maintain customer trust, automation is a must. 


Adopting automated security risk assessments enables organizations to maintain a proactive stance against cyber threats, ensuring a secure operational environment. With new compliance trends and the looming possibility of further regulatory changes, your business needs to be prepared — by implementing automation. 


When you integrate automation, you can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes, turning this potential challenge into a strategic strength.


Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!