SEC Cyber Rule Alert: CEOs must integrate cybersecurity into business strategy or brace for consequences

White Paper

January 25, 2024

Reading Time: 7 min Read

7 min

Image via Jones Day

The SEC’s new rule is forcing the cyber industry to rewrite the narrative on the roles and responsibilities of a CISO and their cybersecurity program.

The SEC’s Final Rule of July 2023 on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure laid down in clear-cut terms the need for companies to increase their transparency and accountability to stakeholders when it comes to cyber risks. On the surface, it seems like the rule simply mandates that companies disclose their cyber program, incident response plan, and the impact of cyber risks on their business strategy. However, in the months since, as information about more and more major breaches has entered the public eye, it has become evident that what the rule necessitates is a paradigm shift redefining the way cybersecurity needs to be approached in the first place.

In the last six months, major cyberattacks carried out against companies like Clorox and MGM have deliberately and strategically targeted critical business operations, aiming to bring the companies to their knees. One recent addition to the roster has been VF Corporation – the owner of Vans, Timberland, and North Face – which fell prey to a cyberattack that disrupted regular business operations. The attack resulted in data theft and some of its systems getting encrypted, and VF has reported that the attack has and will continue to materially impact business operations for the foreseeable future.

What the SEC’s final rule truly asks for is not a simple reporting of the occurrence and impact of a breach, like in the above cases – rather, the SEC rule wants organizations to align their cyber strategies with their business strategies, such that the two work in harmonious conjunction.

CISOs, in collaboration with business leadership, need to re-evaluate what cyber risk means to them, how it should be assessed, and how it needs to be reported in the public domain to build the trust of their stakeholders and shareholders.

Join Thousands of Weekly Readers

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

Breaches are inevitable, but not unmanageable

While the focus when it comes to cyber attacks has, till date, been on preventing them and keeping malicious actors out, the SEC’s final rule compels CISOs to also give thought to how their organization can be protected in the event of a breach. Akin to valuables in a house, simply locking the front door to protect them isn’t enough – you need to ensure that you have a strong safe in the house that secures the valuables even in the event of a thief breaking in.

Conventionally, cybersecurity has generally been viewed from an outside-in perspective rather than an inside-out one. Clorox, for example, which suffered a major cyberattack in August 2023, was the topmost secured company within its industry on Forbes’ list of America’s Most Cyber Secure Companies. Such lists, however, normally focus on how good an organization is at preventing breaches, and not on how well they’re able to protect themselves once a breach has already occurred. Clorox may have had a strong cyber program protecting it from breaches by malicious actors, but once hackers got in, the company’s business operations were essentially ripe for the picking. The material impact of the attack shook the company, which reported a 20% decline in net sales (amounting to a $356 million decline) in its First Quarter 2024 Earnings report and 21% drop in its stock price.

A shift in perspective is required, from attempting to eliminate cyber risks to prioritizing effectively managing and minimizing them. The SEC’s final rule demands that CISOs think about how risks are being measured and how cyber programs are being designed to manage risks to the company – a process which starts by considering what damage can be done by a malicious actor who has breached the company’s defenses.

The need of the hour is to prioritize establishing a resilient business that can defend itself from malicious actors as well as leverage data to make informed decisions and stay a step ahead of its competition. By exercising vigilance and implementing robust cybersecurity measures, businesses can skilfully navigate the evolving threat landscape and protect their data.

A well-understood business is a well-protected business

Traditionally, cyber experts have been positioned as the technologists and defenders of a business. This role has also meant that in an organizational hierarchy, CISOs have often acted as individual contributors functioning within their own mini ecosystem, stationed on the outer edges of the businesses’ operations. This, consequently, results in a limited knowledge of business processes and required defense levels – a handicap that can be crippling if not addressed sufficiently by bringing CISOs to the executive table and actively integrating cybersecurity measures with the overall business strategy.

It is essential for CISOs to have a clear understanding of what needs to be safeguarded in order to effectively protect the business. When CISOs intentionally enter and are brought into the fold of the executive team, they are equipped with the tools and information they need to align their organization’s cyber strategy with its business strategy. Understanding the business, its goals, its needs, and its functioning is essential for establishing a holistic cyber strategy that protects it from cyber attacks – before and after a breach occurs. If you don’t understand how something works, how can you protect it?

SEC Rule-compliant cyber programs need a business lens

When CISOs can act as strategists working in conjunction with business leadership, they shift from being individual contributors to leaders in their organization. Businesses care about their reputation, critical operations, and the generation and maintenance of revenue. When CISOs take these priorities into account, they’re able to formulate a cyber program that ensures none of these three core facets take a hit in the event of a cyber attack – or, at least, are minimally impacted by it.

For example, a cyber program that isn’t aligned with the business strategy may not cover certain critical business operations due to the CISO not being privy to all business-related details. In such a case, even the most carefully designed cyber strategy can end up with gaps that leave companies vulnerable to major impact from cyberattacks.

There are, broadly, three types of cyber programs prevalent today:

Compliance-driven: Evaluates security based on control assessments, focuses on achieving target Control Scores and is driven by regulations.

Threat response-driven: Evaluates security using frameworks (like MITRE’s ATT&CK framework), adds new controls based on threats and frequently changes priorities, focuses on strengthening technical resiliency, and is driven by new applicable threats.

Business-driven: Evaluates security based on the business impact of top cyber threats, partners with the business to prioritize controls and high value assets based on risk appetite, focuses on strengthening business operation resilience, and is driven by top business risks.

As CISOs shift from being individual contributors to being collaborators with business leadership, what is needed is for a move from a compliance-driven program to a business-driven program. It is in the latter that CISOs can truly function as part of the organization’s executive team, which will further enable the strategic protection of the company, and which, thus, needs to be backed by the CEO, Board, and the Chief Legal Officer.

This transition requires cyber leaders to broaden their focus from being purely on breach-related aspects (like the database, primary servers, customer data, and the network infrastructure) to also taking into account how the company can be best defended keeping in mind the business’ key concerns – which, traditionally and generally, have been its reputation, critical operations, and revenue generation and maintenance.

An organizational transition of this kind is mutually beneficial for both CISOs and the business. It helps the business reach its goals and address its needs, and it helps CISOs by distributing accountability and adding a layer of defendability to their decisions, which they’ll now be making in accordance with the input of the business leadership.

A cyber program driven by business insights should, ideally, assess and cover the following risks:

Which critical business processes that, if disrupted, could paralyze our operations?

How much financial loss (in dollars) can our business realistically absorb from the downtime of essential processes?

What are the high-value assets underpinning our critical business operations?

Among the various cyber risks threatening our critical processes, which ones demand our immediate attention?

In the event of a cyber risk becoming reality, how severe would the impact be on our business?

What approach will ensure our leadership accurately identifies what is critical in terms of financial and reputational impacts?

A cybersecurity program that develops from the assessment of business-defined risks and prioritizes and controls investment requirements could potentially look like this:

A business driven cyber program prioritizes its cyber initiatives based on quantifiable business risk impacts. Investments in cyber controls are strategically made to better protect the business focusing layers of defense on key processes. The goal of a successful cyber program is risk reduction to the business, not an increase in its control maturity scores.

In a nutshell…

The SEC’s final rule has made it necessary for CISOs to be integrated into their organizations’ executive teams, working with the C-suite and Legal to adequately protect their businesses. Such a collaborative approach will establish CISO as executive leaders and result in the development of a comprehensive cyber program that can be jointly led by the C-suite and the board.

Ready to elevate your cybersecurity strategy to a whole new level? Our tailored solution not only aligns perfectly with your business needs but also ensures full compliance with the SEC Rule. Don’t miss this opportunity to fortify your organization’s digital defenses. Discover how our approach can revolutionize your cyber program today!