The Securities and Exchange Commission’s new regulations in December will require public companies to report material cyber incidents within four days. This presents a significant change – the four-day timeline is notably short and it includes cyber incidents affecting an organization’s data held by a supplier. The implications of this regulation are not just confined to public companies but extend throughout their entire supply chain.
The SEC has laid out its rules succinctly. First, it gives companies only four days to disclose a cyber incident. Secondly, its application is broad – it covers not only internal security, IT and in-house legal sectors within the organization but also involves external service providers such as law firms, insurance and public relations firms. It demands vigilance on the part of the companies and highlights the need for companies to confront these challenges in a strategic and organized way.
A system to deal with this regulation calls for a cyber incident command center, as explained by Arvind Parthasarathi, the founder and CEO of Cygnvs. This center should provide a single view of the cyber incident dashboard and could serve as the records system for incident response. This would centralise the diverse response efforts and integrate internal as well as external stakeholders.
In order for this to work, the command center must remain separate from the corporate network as usual communication channels may be compromised during a cyber-incident. Coordination is key for such a system as it would allow the organization to control who gets access to what information and when, which could potentially protect legal privilege.
Meeting the stringent requirements of these new regulations will not be an easy task, but adopting strategies such as integrated and contemporaneous reporting of incidents could make the task more manageable. It’s important to remember that even small, seemingly immaterial events taken separately could collectively amount to a significant occurrence.
Another recommended strategy is to create a practical and realistic response plan within the incident command center. It should be simple and broken into task lists that are custom-made for each individual’s role and responsibility. Conducting “tabletop” simulations could also help the company build “muscle memory” on how to respond to a cyber crisis.
In our increasingly connected economy where even suppliers may hold sensitive information about a company, it becomes imperative to bring key suppliers into a corporation’s response strategy. This should be initiated ahead of any incident, enabling everyone involved to have mutually agreed upon strategies for response.
As we look ahead, managing the complexities of these new regulations is a challenge best addressed by setting up a command center for cyber incidents. Not only would this help in responding to a cyber event in a timely and efficient manner, but it would also fulfill the new reporting mandate.
Read the full article here.