Now that the SEC’s cyber disclosure rules are in effect, companies are still working through their approaches to compliance. You may be a CISO tasked with getting your team up to speed quickly amid tight staffing and security budgets, emerging technology and a growing threat landscape. If you find it difficult to go it alone, integrating managed services into your cybersecurity operations can help your organization establish trust, maintain transparency and simplify future reporting obligations as they arise.
The SEC’s final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage cyber risks. A managed services provider can quickly provide the people, processes and technology to help establish a sustainable, consistent practice and the speed to keep pace with evolving regulations.
For a cybersecurity program to be truly mature, processes need to be tested and easily replicated to quickly determine and report the materiality of an incident. A managed services provider can continuously adapt its services to provide you process consistency and integrity.
Managed services providers offer round-the-clock support and can help scale and strategize. Yet only 25% of companies are establishing protocols with major technology providers (e.g., cloud, device manufacturers, managed services) to coordinate an incident response, according to PwC’s 2024 Global Digital Trust Insights survey. It’s not just about using managed services, but as a CISO determining how to effectively work with a third party to achieve the desired return on these investments.
Harmonizing dozens of processes and investments as part of a larger, dynamic system can help accelerate preparation, streamline operations and maintenance, and strategize. An effective managed services provider can help close capability gaps, better control your technology spend and can help derive greater return on investment (ROI).
Here are a few scenarios to consider as you think through your needs:
Large organizations may face eight to ten regulatory changes on an annual basis. Hiring additional in-house talent and bringing them up to speed to meet each challenge may be neither practical nor cost-efficient, and the ongoing cycle of various certifications can impact employee morale. Ask yourself:
Ongoing economic uncertainty and budget restraints force many companies to make do. In PwC’s 2024 Global Digital Trust Insights Survey, 40% of business, technology and security executives say they plan to prioritize ongoing security training in their cyber budget over the next 12 months. The spend ranks closely behind the top three priorities in respondents’ cyber budgets:
That pace of training, along with the other demands on your team’s time may overwhelm your employees. Outsourcing repeatable, outcome-based tasks can remove the burden on strained cybersecurity professionals and free them to focus on other tasks. It’s important to ask:
The SEC cyber disclosure rule requires companies to describe their processes to assess, identify and manage material risks from cybersecurity threats. Many companies struggle with a patchwork of systems that hinder the consistent reporting that helps determine the materiality of an incident. They may lack the infrastructure to generate a continuous loop of information because processes are ad hoc and/or technology is outdated. If this sounds familiar, it may be time to to consider the following questions:
It’s not up to the managed services provider to determine whether an event is material, but these third parties can be helpful in providing information that is helpful with incident reporting. Their first step would be working with a client to understand what information is necessary to make a determination. Beyond detection and incident reporting, a managed services provider can help put preventive measures in place. Things like vulnerability management, patch management and other types of risk-reduction services are going to become increasingly important as the stakes of having a breach increase.
In addition to issuing the final disclosure rule in July, the SEC has increased its enforcement division to focus on compliance with existing securities laws. This comes as stakeholders — consumers, investors, CEOs and boards — also demand more information about how companies manage cyber risk exposure. It’s increasingly important for the CISO to identify resources to enhance your external cyber reporting capabilities.
Effective date: Material incident disclosure requirements are effective as of December 18, 2023. Smaller reporting companies have a 180-day deferral.
Advantage: A well-managed security operations program helps establish trust when a material incident is reported in a timely manner.
Effective date: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending on or after December 15, 2023.
Advantage: A fully operational cybersecurity program offers confidence to investors and regulatory bodies and helps reduce the effort required to comply with reporting requirements.
Effective date: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending on or after December 15, 2023.
Advantage: A mature program reporting consistent KPIs and KRIs shows investors and regulatory bodies that both leadership and the board have visibility into and oversight of the program.
Cybersecurity is often addressed episodically, when an audit occurs or a breach happens, rather than continuously. With each new regulation, some organizations form a separate team to address it, paving the way for bad actors to enter and narrowing your ability to build transparency and confidence with employees and consumers. Failing to respond persistently is like locking the front door and leaving the back door open. Working with a managed services provider can facilitate compliance that’s necessary to build stakeholder confidence and trust.
The role of the CISO and the security team is increasingly vital to the lifeblood of the organization. By strategically integrating managed services into your operations, you have an opportunity to foster a culture of continuous improvement in cybersecurity. This means taking a top-down approach and investing in the resources and support needed to safeguard against potential threats and vulnerabilities, report with confidence and manage a mature operating program. The SEC’s new cyber disclosure rule is your opportunity to get ahead of the next regulatory update by working closely with a managed services provider.