As part of an ongoing effort to mitigate risks to investors, the US Securities and Exchange Commission (SEC) enacted new cybersecurity rules last month to provide investors greater levels of transparency, giving them relevant, updated information that helps them assess cyber risks more effectively and make informed investment decisions. The new rules require public companies to disclose:
- All material cybersecurity incidents within four days.
- Material information on their cybersecurity risk management, strategy, and governance on an annual basis.
Disclosure of incidents
In a press release, the SEC states that the new Item 1.05 of Form 8-K which requires registrants to disclose any cybersecurity incident that is determined to be “material” – meaning that it may have a significant impact on the company’s financial position or operation, generally within four days. The registrant also must describe aspects of the incident including timing, nature, and scope as well as its impact or reasonably likely material impact on the registrant from the incident.
However, disclosures have the potential to be delayed if the immediate disclosure would pose a “substantial risk to national security or public safety”. Public companies must comply with the new reporting structure 90 days after the date of publication in the Federal Register or December 18, 2023 – whichever is later. Smaller reporting companies will be subject to the new Form 8-K requirements starting on 15 June 2024.
Companies that fail to comply with the new rules could face a number of consequences, including, but not limited to, hefty fines as well as the potential of investor lawsuits, and damage to the company’s reputation.
Disclosure of risk management, strategy, and governance
The SEC also defined Regulation S-K Item 106, which requires companies to describe their processes for identifying, analyzing, and regulating cybersecurity risks. In addition, the registrant now has an obligation to share the board of directors’ role in managing cyber threats – all of which must be recorded in the registrant’s annual report.
All public companies must provide the new disclosure beginning with annual reports for fiscal years ending on or after December 15, 2023, which means that calendar-year companies must comply with new standards in their upcoming annual reports.
Implications for the future
In most public companies, IT and security teams have been working very hard over the last few years to be able to detect and remediate threats. Chief Information Security Officers (CISOs) have implemented risk management and cyber governance strategies to drive IT security. However, the new SEC rules now require incident reporting and management of risks to industrial networks, as well.
Although securing Operational Technology (OT) has become top of mind, IT and CISO teams are sometimes just starting to make it a priority and often lack the visibility and control required to comply with the new SEC rules for both their IT and OT networks. So how can you manage cyber risks and report cyber incidents on your OT?
Step 1. Build your industrial DMZ
First, building an industrial demilitarized zone (IDMZ) is key to preventing network traffic from passing directly between the corporate and OT networks. Cisco Secure Firewalls provide a first line of defense to adversaries when attempting to breach a network. They provide stateful packet inspection to detect and stop a variety of attacks and will let you document your reports.
Step 2. Gain visibility into your OT
Most organizations do not have comprehensive or up-to-date inventory of connected OT assets. You can’t secure or monitor what you cannot see. Cisco Cyber Vision automatically builds and maintains your inventory, at scale, so you can assess your security posture, understand risks, and drive governance by giving IT and OT a common understanding of the current environment.
Not only does visibility let you detect malicious traffic and abnormal behaviors that could lead to threats you would have to report, but it also allows you to prioritize vulnerabilities to patch and segment your industrial network into smaller zones of trust, as recommended by the ISA/IEC62443 security standard. This is the foundation of a robust OT cybersecurity strategy.
Step 3. Control remote accesses
Remote access is key for operations to efficiently manage and troubleshoot OT assets. However, historically, 4G/LTE gateways or ad-hoc remote access software have been deployed, making it nearly impossible to enforce security controls. These shadow IT solutions must be identified (using the visibility capability from Step 2) and replaced with a secured solution to provide zero trust network access (ZTNA).
Cisco Secure Equipment Access lets you extend ZTNA to operational spaces. It empowers OT teams with an easy-to-use remote access solution that’s specifically designed to support their workflows and provides granular access controls based on identity, as well as context policies, together with audit capabilities. These capabilities help organizations ensure that only authorized workers can configure connected assets, and that every action can be monitored.
Step 4. Include OT into your Security Operations Center (SOC)
Driving regulatory compliance and cybersecurity governance requires you to have a comprehensive view of your global security posture, across both your IT and OT domains. Information from your IDMZ firewalls, your OT visibility tools, your remote access solutions, and more, need to flow into your SOC to be enriched, correlated, analyzed, and reported. Platforms such as Cisco XDR let you uncover complex threats by aggregating intelligence from both Cisco security products and third-party sources.
The new SEC rules require that public companies bolster their cybersecurity strategies. As industry digitization requires more connectivity, OT and IT networks have converged. Cisco’s comprehensive IT security solutions can be easily extended to support your OT security requirements as well, so you can create consistency across your organizations and build on your existing expertise to mitigate the growing number of cyberattacks.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels