SEC’s New Cyber Reporting Rules Mandate More Transparency, Tougher Defense

In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed a set of amendments intended to bolster publicly traded companies’ defenses against cyberattacks.^[i] Their primary aim is to better inform investors about a company’s cyber risk management, strategy and governance and to provide timely notification of cybersecurity incidents that could have a material effect. The proposed rules would also standardize the format for disclosing such incidents and make the determination of what qualifies as ‘material’ less subjective.

If approved, the rules would require new cybersecurity protocols, including:

• Timely reporting of ‘material’ cyber incidents followed by periodic updates about them.
• Periodic reporting of policies and procedures the company has in place to identify and manage cyber risks.
• Reporting of management’s role – and relevant expertise – in assessing and managing cyber risk and implementing policies/procedures.
• Reporting of the board of directors’ governance role – and relevant expertise, if any – in cyber risk management.^[ii]

To report breaches in a timely manner and meet the rest of these requirements, information security officers need to have the right processes and governance structures in place. They should be well-versed in the current threat landscape to determine where a potential attack could come from. Of particular importance, they should be able to assess cyber threats in terms of overall business risk and explain that risk in language that all stakeholders can understand. They also need to educate employees on how to recognize and report issues, no matter how trivial they might appear. Lastly, they need to have proper training and experience in managing a cyber crisis.

Many companies may lack this expertise. It’s a key muscle they need to develop, no matter the size of an organization or if they have to publicly report incidents

A fair number of respondents admitted in a recent survey that they are remiss in maintaining safeguards addressed by the SEC amendments.^[iii] For one, many of them don’t review their company’s cybersecurity plan or update it regularly – which makes it unlikely that they’re keeping up with the rapidly evolving tactics of threat actors. Only 26% of respondents say they have cyber incident response plans that are applied consistently and tested across the enterprise.

While the Internet of Things (IoT) is helping to interconnect and automate all kinds of infrastructure and operations, transforming how we live and work, it can potentially open back doors into Operational Technology (OT) systems. With digital transformation, IT and OT environments are converging as they are migrated from on-premise servers to the cloud, which can also increase risk. At the same time, many employers now allow at least some employees to work remotely, which can expose both OT and IT systems to greater vulnerability.

Creating a more resilient OT or converged IT/OT environment calls for a comprehensive strategy of implementing robust security governance and processes, investing in the right technology and training employees. It starts, however, with basic cyber hygiene :^[iv]

• Train employees to better identify ID scams, malicious links, social engineering attempts and other Social Engineering tactics.
• Develop and maintain an active asset inventory, including Software Bill of Materials (SBOM).
• Update operating systems, applications and device firmware regularly. .
• Install end-point protection, such as AI-driven advanced anti-malware software across all assets and keep them up to date.
• Create a resiliently designed network architecture with the appropriate zoning and conduits to minimize disruption in the event of an incident.
• Implement best practice hardening for all compute, storage and networking infrastructure.
• Employ appropriate backups and system restoration procedures and store copies of the most recent backup offline, ensuring a backup testing regime is maintained.
• Deploy compliance and risk monitoring solutions to detect vulnerabilities and active threats across the OT environment, including controller devices.

Taking OT cyber resilience to the next level requires a scalable, centralized platform that features threat detection and the latest deception technology. Threat actors continue to breach building systems with both targeted and ransomware attacks, potentially impairing hospitals, utilities, data centers, airports and other critical infrastructure. To foil these attacks, current solutions, such as the Honeywell Threat Defense Platform, use autonomous, AI-enabled deception tactics to outsmart attackers and high-fidelity threat detection to detect and control attacks.

The latest generation of deception technologies confuses threat actors, leading them away from critical assets to decoys that appear to be valuable OT and IT assets instead. This results in higher rates of detection with less alert fatigue. However, the devices aren’t real and provide no access to actual enterprise assets. The solution makes real, critical operational devices harder to find, slowing adversaries and helping security teams capture them faster.

Deception technologies require no prior knowledge of attacker tactics and can be deployed without special training or modifications to existing OT environments. As OT and IT systems continue to converge, it’s essential for organizations to assess potential cyber risk across their environments and take action to enhance their security posture.

^[i] U.S. Securities Exchange Commission, Cybersecurity risk management, strategy, governance, and incident disclosure. March 9, 2022. [Accessed August 30, 2022]

^[ii] U.S. Securities Exchange Commission, SEC proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies, March 9, 2022. [Accessed August 30, 2022]

^[iii] IBM, Cyber resilient organization study: 2021 [Accessed August 31, 2022]

^[iv] Honeywell Building Technologies, Securing operational technology: building cyber resilience, February 2022. [Accessed August 31, 2022]