The U.S. Securities and Exchange Commission (SEC) this week voted to adopt new rules for how companies inform investors about cybersecurity concerns. The vote comes after years of gradually increasing guidance and scrutiny over companies’ handling of cybersecurity events and follows a lengthy comment period where companies, including CrowdStrike, provided input.
The new rules, which go into effect later this year, will require publicly listed companies to disclose material cybersecurity incidents within four business days of determining a material incident occurred. This includes stand-alone incidents as well as the cumulative impact of a series of related incidents. They also require these companies to regularly disclose how they manage cybersecurity risks, who is responsible and how these risks are reported to the board of directors.
From our view, the intent of the SEC rules is to protect investors by requiring more clarity, consistency and timeliness in how companies handle cyber-related disclosures. An ancillary effect is that companies may implement better overall cybersecurity hygiene and risk management processes to be more resilient to cyber incidents in the first place.
While there will continue to be a debate on whether the new disclosure rules will ultimately force organizations to prematurely disclose details of an incident that may be ongoing, public companies, or any organization looking to implement more mature security controls, can use this opportunity to double down on proactive defenses that can get them ahead of a potential incident.
Contact CrowdStrike to schedule an SEC security briefing to learn more about the new SEC rules on cybersecurity and how your organization can prepare.
The Best Preparation Is Proactive Prevention
The best strategy for handling the SEC’s disclosure rules is to prevent material incidents from occurring in the first place. While a company is debating whether an incident is material, they’ve already missed the opportunity to do something about it. Proactive prevention is the best opportunity to stop an incident completely or minimize the damage during a critical period.
When it comes to cybersecurity, speed is essential. According to the CrowdStrike 2023 Global Threat Report, the average time it takes an adversary to compromise a system and move laterally into the rest of the network is just 84 minutes. Companies need to ensure they have the tooling and teams necessary to respond to and remediate an incident with the same speed. This means augmenting existing teams with services and AI that can automate protection and accelerate investigation.
Although it’s up to a company to make its own legal determination as to whether a series of related occurrences is material, adversaries increasingly utilize public, coercive techniques to force victims to comply with demands. CrowdStrike’s 2023 Global Threat Report also found that data leak extortion campaigns are at an all-time high, and certain threat actors taunt victims with references to privacy, data protection or other compliance obligations breaches might impact. Consequently, holistic visibility into security events coupled with intelligence about the threat actors behind them can play an important role in assessing obligations.
It is not enough to work reactively after an incident has occurred. Configuration management — through endpoint and cloud hardening, Zero Trust architectures and external attack surface management — needs to be a cornerstone of a robust security posture. Proactive threat hunting to identify activity that tools missed and threat intelligence to hone in on what to look for also need to be part of this mix.
Even with proactive prevention in place, companies will still need a game plan for complying with the new disclosure rules should an incident occur. This requires defining how they will assess materiality and who will ultimately sign off on what constitutes a material incident. To date, this has not been a standard component of most incident response plans, so most companies will need to develop a framework and conduct exercises to test and refine it. From a technical perspective, companies will need to ensure they have a system of record that tracks the impact of incidents so they are able to consider the cumulative impact of smaller related incidents when making their materiality assessments.
Companies that cannot investigate incidents quickly will be seriously disadvantaged in trying to make these assessments. Not only can investments in rapid detection and remediation capabilities reduce the likelihood of material incidents, they also increase the amount and reliability of the information available when evaluating incident impact and defending the decision later.
Register for our live webinar to learn more about the new SEC rules on cybersecurity and how you can prepare.
How CrowdStrike Can Help Your Organization Prepare
The best thing public companies can do in the face of these new requirements is focus on the fundamentals of good security practices. These both reduce the likelihood that a cyber incident will be material and provide a foundation for an organization’s required annual disclosure on cyber risk management.
The CrowdStrike Falcon® platform delivers the highest levels of visibility, simplicity and control by providing the necessary capabilities for unified prevention, detection, hunting, intelligence and remediation. With CrowdStrike, organizations are able to prepare for the new disclosure rules by embracing proactive prevention and empowering them to:
- Understand Risk and Enforce Cyber Hygiene: Cyber resiliency starts with an assessment of where an organization is at greatest risk for a security incident. This enables an organization to proactively address the risk before an incident happens. CrowdStrike Falcon® Surface enables companies to understand their external attack surface and minimize the risk of a cyber incident stemming from an exposed asset, while CrowdStrike Falcon® Spotlight helps prioritize the vulnerabilities that threat actors are most likely to target.
- Automate Protection and Accelerate Investigation: With CrowdStrike Falcon® Insight XDR, companies can detect incidents faster and with greater accuracy. With AI-powered automation embedded across the Falcon platform, organizations can rapidly ingest data and generate detections across domains to stop breaches earlier, reduce the materiality of an incident and speed overall response times.
- Protect Cloud Environments: The CrowdStrike 2023 Global Threat Report highlights that cloud exploitation continues to rise. Cloud exploitation cases grew by 95% and incidents involving cloud-conscious threat actors nearly tripled from 2021. CrowdStrike Falcon® Cloud Security provides complete protection and visibility to prevent incidents and breaches of cloud environments.
- Stop Identity-Based Attacks: 80% of cyberattacks now leverage stolen or compromised credentials. CrowdStrike Falcon® Identity Threat Protection provides organizations with comprehensive protection against identity-based attacks. Organizations can rapidly detect an attack, stop lateral movement and prevent an incident from escalating into a material event.
- Leverage Managed Detection and Response (MDR): Outsourcing critical security capabilities to leading MDR services can help organizations overcome the skills gap and reduce the complexity of their security environment. CrowdStrike Falcon® Complete is widely recognized as the industry’s leading MDR, providing the 24/7 prevention, threat hunting, detection and response capabilities needed to reduce the likelihood of a material incident. CrowdStrike Falcon Complete XDR extends these powerful capabilities across all key attack surfaces to help organizations close the cybersecurity skills gap and stop attempted threats quickly, making disclosures within the time frame more possible, if required.
- Integrate Threat Intelligence into Security Strategies: A comprehensive threat intelligence program can align an organization on which threats and adversaries to focus their security efforts. CrowdStrike Falcon® Intelligence enables organizations to easily operationalize intelligence within the security operations center, gain visibility into adversary tactics and motives, and receive best-of-breed intelligence reporting and technical analysis.
- Proactively Hunt for Threats and Incidents: Cyberattacks continue to become more sophisticated and harder to detect. Seventy-one percent of attacks are now malware-free. CrowdStrike Falcon® OverWatch provides proactive threat hunting capabilities that enable organizations to detect and disrupt hidden attacks. Identifying hands-on-keyboard activity can minimize the scope of a potential incident.
- Optimize Your Logging Strategies: It is not an uncommon occurrence during investigations to run into a lack of available logs to support an investigation. The availability and cost of logging has been the challenge of many CIOs and CISOs, and the migration to cloud has compounded the problem. Solutions like CrowdStrike Falcon® LogScale deliver powerful logging capabilities that speed investigations and deliver full visibility while reducing overall costs. Understanding what to log, how long the log data should be retained and the capabilities of staff/responders to access this data quickly when needed should be part of the overall plan.
- Train for the Fight: Regular exercises are a critical part of maintaining an organization’s readiness posture as well as testing out new plans and processes. CrowdStrike’s Red Team/Blue Team exercises give technical responders an opportunity to practice against hands-on-keyboard threat activity, while Tabletop Exercises test coordination across security teams, business leaders and the board. Any new frameworks for reviewing materiality and making disclosures should ideally be exercised in a simulation.
Preparing People and Processes for Risk Management Disclosure Rules
In addition to pushing public companies to implement better cybersecurity hygiene, the SEC is also pushing to strengthen risk management processes. This will put more of an onus on executive leaders and the boards that advise them. By requiring organizations to identify which business leaders are responsible for cyber risk, as well as their level of expertise, the SEC is underscoring that security oversight cannot be a rubber stamp.
For boards of directors, CIOs and CISOs, this means asking probing questions about the tooling, people, processes and vendors that make up your security ecosystem, and supporting change where appropriate to uplevel the ability to detect, prevent, respond, recover and report as effectively as possible. It also means challenging claims of inexpensive, “check-box” solutions and focusing on the ability to evolve the security posture as the threats to your business and the rules change.
To the extent that cyber risk assessments are not already formalized, public companies will need to ensure they have a strategy for evaluating their risk exposure. In most cases, this will involve a layered approach, including periodic holistic risk assessments, more frequent red teaming, and tooling that supports continuous risk identification and management. It’s also recommended that companies use this opportunity to strengthen their internal risk governance practices and monitoring processes, which can help expedite and inform the evaluation requirements.
The new rules suggest that directors and officers across the board — even if they are not directly responsible — will need to expand their knowledge of cyber risk. Most are already doing this. Many of our customers’ board members have asked to participate in or observe cyber tabletop exercises focused on testing their organization’s response. Others are requesting dedicated training or more frequent briefings on the threats to the business as well as the results of tests and assessments.
CrowdStrike will continue to engage with the SEC and other regulators to advocate for the harmonization of new and existing cybersecurity incident reporting requirements. As new rules are put forth, it will be important to ensure alignment with existing regulations so that victim organizations can comply in a timely and transparent manner while continuing to focus on the fundamentals that keep their networks secure.
Leave a Reply