In December 2023, the SEC cybersecurity rules ushered in a new era, promising heightened cybersecurity discussions and a surge in filings. The question on everyone’s mind: Will this result in more secure companies or simply inundate us with paperwork?
Our portfolio company, Gem Security, today is launching its report titled “The New SEC Cybersecurity Rule: The Good, the Bad, and the Maddening Frustrations and Contradictions”, shedding light on the perspectives of CISOs who find themselves navigating these uncharted waters. I had the opportunity to contribute my own perspective alongside a few of my esteemed CISO colleagues.
The Good: Shedding Light on Security Controls and Threat Landscapes
As the report discusses, enterprise CISOs and experts are cautiously optimistic about the impact of the new rules. The hope is that they will illuminate companies’ security monitoring controls and threat landscapes, providing valuable insights for both internal stakeholders and potential investors. However, the delicate balancing act lies in revealing enough information to benefit the public without aiding cybercriminals, nation-states, and malicious actors.
Even my friend Joe Sullivan, the former Uber CISO who faced charges related to cybersecurity incident reporting, applauds the SEC’s efforts. In his words, “We can nitpick the details as much as we want, but this is the right way to do it.”
The Bad: The Challenge of Vague Guidelines
As the report delves into the intricacies of the new rule, it addresses common myths and realities. My own perspective, as reflected in the report, emphasizes the critical importance of governance. I talk about the fact that a well-documented governance process is paramount. I believe that CISOs need to be explicit about their risk identification and lifecycle management processes, clarifying aspects such as risk acceptance approval and setting risk tolerances with the board.
However, the challenge lies in the deliberately vague wording of the SEC rules. While designed to provide flexibility tailored to each company’s situation, many CISOs find the rules excessively vague, making it difficult to discern the SEC’s expectations. I believe that the lack of specificity puts CISOs in an untenable position, especially when the SEC has proven that it is willing to take action against them.
The Maddening Frustrations and Contradictions: Navigating Communication Challenges
One of the maddening frustrations highlighted in the report is the ambiguity surrounding communication. The SEC recently took action against a CISO, accusing them of misleading investors. The report points out the challenge CISOs face when their internal communications, which may have a different standard, are used against them in SEC submissions.
Gem security’s report underscores the need for CISOs to adapt swiftly to the new regulatory landscape. As the SEC aims to strike a balance between transparency and security, the challenges and contradictions demand a proactive and meticulous approach from cybersecurity leaders. To get some practical advice for following the new rules and to be aware of the catch-22s to stay out of trouble – take a look at the report!
Stay tuned as Team8, its global CISO Village, and portfolio companies continue to explore and navigate the evolving realm of cybersecurity regulations.