We are now entering a new era in cybersecurity: one in which governments and regulators increase oversight of cybersecurity risk and incidents.
Instead of viewing the new regulatory push around the world as a burden, companies may see them as an opportunity to prepare for greater cybersecurity transparency. Many companies in the US may fall under the regulation of either the SEC or CISA, which has implemented disclosure requirements for critical infrastructure companies.
So, what can companies do in the wake of the increased regulatory pressure?
Incident response playbooks play an important role. As more companies suffer from cyberattacks, preparedness to deal with a cyber crisis becomes more important. In 2021, the FBI reported the highest number of cybercrime complaints and reported total losses in history: 850,000 complaints reflecting $6.9 billion in losses. The FBI in 2016 estimated that it only receives complaints for around 10% of all cybercrimes – most cybercrime has tended to go unreported.
While specific disclosure requirements differ depending on the regulatory framework, most have a common core. For example, under the critical infrastructure regulation in the US, companies have either 24 hours or 72 hours to disclose the incident, depending on the event. The SEC now requires a disclosure within four business days.
Regardless of the specific timeframe, the new regulations have put more emphasis on cyber risk oversight from the board of directors. They will need to understand and be able to describe their company’s cybersecurity risk management processes and maturity.
The new regulations also mean that IT and cybersecurity teams have to work more closely with company leadership, especially with chief risk officers and legal teams, to comply with the new regulatory requirements.
Irrespective of the specific regulatory framework, companies can segment their preparation into three stages: 1) determine the existing cybersecurity reporting capabilities, 2) identify gaps to meet reporting requirements, and 3) develop a road map to fill the gaps.
In the short term, companies can take the following steps:
- Set up a cross-functional team that focuses on cyber-reporting requirements. It should include compliance, legal, and technology experts, and key business leaders.
- Examine the baseline for current cybersecurity reporting capabilities. Include reporting capabilities and cybersecurity maturity (including board expertise, governance and oversight).
- Determine which capabilities need to be built.
In the long term, companies can:
- Establish a long-term cyber-reporting and disclosure group.
- Optimise reporting processes and hire new talent as required. Adjust the processes with updates to regulations.