For many, the SEC’s proposed new rules on cybersecurity are a long time coming.  The increases in frequency and impact of security breaches are well documented, as the digital economy continues to expand and affect business models, customer experiences, products,  and operations.  Cybersecurity is now a top risk category for many companies, and increasingly is a focus and conversation at the Board and C-Suite level.

However, with any shift in the regulatory environment comes questions, uncertainty and new challenges.  Concerns have been raised about the additional costs and burdens that will be imposed, particularly with smaller public companies.  There are questions around the requirements to report incidents, whether it will impede efforts to address breaches and expose vulnerabilities to threat actors. And some even wonder whether the new requirements go far enough.  

Given how strongly the objectives and outcomes of strong security program management align with those of the new SEC rules, Blue Lava broadly supports the SECs efforts and has responded to the SEC’s request for public input.  You can read Blue Lava’s contribution here.

To summarize our perspective and response to the SEC:

• Blue Lava was created with, by, and for the cybersecurity community, founded on the premise of the increasing alignment of security programs to the business.  It is an essential task in today’s digital economy, and if done poorly, exposes companies to significant risk.  That is why we broadly support the new rules.
• We believe disclosure by public companies on their cybersecurity risk management, strategy and governance will add much-needed focus on these critical practices from Boards and C-Suite Executives, and will help to align the important work CISOs and their teams do with major business priorities and objectives.  
• We also believe that increased transparency is beneficial to the investor community, given the significance of the digital risks companies face.  Being able to understand and assess the maturity and comprehensiveness of a company’s cybersecurity program, and therefore the relative levels of risk exposure companies face, is an important factor in a company’s valuation.
• However, assessment frameworks established to meet existing compliance needs were not built to achieve these objectives.  Compliance and cybersecurity are not the same thing, and a cybersecurity-centric framework and methodology that is continuously updated and managed throughout the year (not a point in time) would yield much more tangible and consistent insights.
• We recommend adopting a common language to support the ability to communicate or report on cybersecurity efforts consistently.  A cybersecurity-centric holistic framework would help address that. It would need to reflect modern cybersecurity practices and domains, create simple and common language that can be applied across industries and understood by both technical and non-technical executives, and be flexible enough to adapt to shifts in technology and the threat landscape. 

We look forward to continuing to engage with the SEC and the broader cybersecurity community to help understand and adopt the practices included in the new rules.  We plan to host an online discussion on May 24th regarding the SEC rules and their potential impacts.  You can find more information and register, for the event here.