Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), has released a blog analyzing the increased focus on cybersecurity posture in reports to the Securities and Exchange Commission (SEC). Panaseer warns this growth in reporting will place CISOs at real risk of legal action if their organizations’ statements do not match reality.
The Panaseer investigation into organizations’ annual 10-K filings reported to the SEC shows that, from January-May 2024, at least 1,327 filings mentioned ‘NIST’ (National Institute of Standards and Technology) – a key indicator that cybersecurity posture is present in a filing. This compares to just 110 during the same period of 2023 – a 12-fold increase – and 128 across the entire year. On current projections, Panaseer predicts up to 2,600 such filings across 2024 – a more than 20 times increase.
This will put pressure on CISOs for two reasons:
- The burden of additional cybersecurity reporting: December 2023’s new SEC rulings that incorporated cybersecurity risk into investor reporting mandated the inclusion of cybersecurity posture and processes in annual reports. Although CISOs won’t be directly responsible for compiling reports, they’ll need to work closely with the Enterprise Risk Management (ERM) team to ensure reports are accurate.
- The threat of legal action: Accurate reports demand a deep understanding of cybersecurity posture and risk exposure. Any discrepancies between reports and reality will be tantamount to lying to investors, leaving CISOs potentially facing charges. SolarWinds’s CISO, Timothy G. Brown, has already been charged by the SEC for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The new regulation applies to listed enterprises, with two separate SEC reports that apply to cybersecurity:
- A 10-K filing – a comprehensive annual report of critical information including financial performance. Now, organizations must detail their approach to cyber risk management, including cybersecurity strategy; board oversight; and management’s role in cyber governance.
- An 8-K filing – a report announcing major events shareholders should know about. This now requires businesses to disclose “material cybersecurity incidents” – which are likely to impact investors – in a timely fashion. These must be reported within four days after the determination of materiality.
To satisfy the SEC, these filings need to accurately portray cybersecurity posture. The new rulings also reflect an ongoing shift in the CISO’s role. While not solely responsible for organizations’ risk posture, CISOs need to accurately portray risk posture and security processes to the ERM team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings.
As such, Panaseer recommends that CISOs direct their focus towards ensuring that there’s oversight and assurance over the security tool they have, verifying that they are working correctly across every asset.
To find out more about the SEC’s regulations and its impact on CISOs, visit Panaseer’s blog.
Like this:
Like Loading...
Related
This entry was posted on June 18, 2024 at 9:00 am and is filed under Commentary with tags Panaseer. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Pressure Mounts On CISOs With Reporting Set To Rise By Up To 20x As SEC Bares Teeth With Legal Action
Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), has released a blog analyzing the increased focus on cybersecurity posture in reports to the Securities and Exchange Commission (SEC). Panaseer warns this growth in reporting will place CISOs at real risk of legal action if their organizations’ statements do not match reality.
The Panaseer investigation into organizations’ annual 10-K filings reported to the SEC shows that, from January-May 2024, at least 1,327 filings mentioned ‘NIST’ (National Institute of Standards and Technology) – a key indicator that cybersecurity posture is present in a filing. This compares to just 110 during the same period of 2023 – a 12-fold increase – and 128 across the entire year. On current projections, Panaseer predicts up to 2,600 such filings across 2024 – a more than 20 times increase.
This will put pressure on CISOs for two reasons:
The new regulation applies to listed enterprises, with two separate SEC reports that apply to cybersecurity:
To satisfy the SEC, these filings need to accurately portray cybersecurity posture. The new rulings also reflect an ongoing shift in the CISO’s role. While not solely responsible for organizations’ risk posture, CISOs need to accurately portray risk posture and security processes to the ERM team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings.
As such, Panaseer recommends that CISOs direct their focus towards ensuring that there’s oversight and assurance over the security tool they have, verifying that they are working correctly across every asset.
To find out more about the SEC’s regulations and its impact on CISOs, visit Panaseer’s blog.
Share this:
Like this:
Related
This entry was posted on June 18, 2024 at 9:00 am and is filed under Commentary with tags Panaseer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.