Time’s up

Edward Liebig’s blog 

 

On March 15^th, 2023, the U.S. Securities and Exchange Commission (SEC) announced it was reopening the public comment period on its proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements for 60 days.  The new cybersecurity rules for publicly traded companies are posing heightened legal, regulatory, and compliance risks to affected firms. The rules have come about on a recent increase in cyber threats targeting businesses. It highlights the importance of data protection and emphasizes the need for companies to be proactive in safeguarding their networks, systems, and sensitive information. Sunday, May 14, 2023, was 60 days, and the comment period has run its course. Should the SEC choose to enact these rules, they aim to enhance the security posture of these firms, protect investors, and maintain fair and efficient markets.

 However, I truly believe they bring about several challenges and will have obscure impacts, that will trigger organizations to be mindful of the new compliance thresholds they must navigate. While the SEC's new cybersecurity rules offer several benefits in terms of enhanced security, investor confidence, and market stability, companies must also contend with various challenges, including compliance costs, legal and regulatory risks, and adaptation to new standards.

 Looking a bit closer: 

The Benefits: 

·       Enhanced security: The new rules will require companies to adopt more stringent cybersecurity measures, reducing the risk of cyberattacks and data breaches.

·       Investor confidence: Better security measures can improve investor confidence in the stability and reliability of publicly traded companies.

·       Market stability: By imposing stricter rules, the SEC aims to maintain fair and efficient markets and reduce the potential impact of cyberattacks on market stability.

·       Standardization: These rules will provide a consistent set of guidelines and expectations for companies to follow, promoting uniformity and best practices in cybersecurity.

·       Timely disclosure: The new regulations will ensure that companies disclose relevant cybersecurity incidents and risks to investors in a timely manner, promoting transparency and informed decision-making. 

The Challenges: 

·       Compliance costs: Implementing the necessary changes to comply with the new rules may require significant financial and human resources, especially for smaller firms.

·       Legal and regulatory risks: Companies that fail to comply with the new regulations may face legal and regulatory penalties, including fines, sanctions, and reputational damage.

·       Adaptation: Companies will need to adapt their existing cybersecurity measures and policies to comply with the new rules, which could be complex and time-consuming.

·       Data privacy concerns: The rules may require companies to disclose sensitive information about their cybersecurity measures, which could raise privacy concerns or expose vulnerabilities to potential attackers.

·       Uncertainty: As the rules are finalized, companies may face a period of uncertainty regarding the precise requirements and the timeline for implementation, complicating their compliance efforts. 

So, a colleague asked me, “These rules look like something the financial services industry would care about. What is the impact of Hexagon Customers?” “Our products automate some of the largest and most complex ICS facilities in the world.” We care enormously about cybersecurity and risk reduction. A good many of our customers are publicly traded and will now be obligated to abide. 

As we noted in looking back at the 2022 year in review, there was a marked increase in specific malware that was designed and deployed with the intention of attacking Industrial Control Systems (ICS). This is concerning because an incident traced back to a cyber event will potentially trigger these new requirements. 

With increased activity targeting ICS and these new rules on the horizon, there is a renewed and amplified call for OT operators to shore up OT Security programs and technologies. From an OT perspective, I offer the following recommendations: 

General Action Plan: 

·       Know your enterprise: Ensure the comprehensive cataloging and vulnerability identification is performed across ALL assets (IT and OT)

·       Risk Assessment: Conduct regular assessments of your organization's cyber risks, identify vulnerabilities, and prioritize their mitigation.

·       Security Policies: Develop, implement, and maintain comprehensive security policies and procedures to ensure data protection and network security.

·       Employee Training: Train employees on cybersecurity best practices, phishing awareness, and incident reporting procedures. Regularly update and reinforce this training.

·       Multi-Factor Authentication: Implement multi-factor authentication (MFA) for all users, especially those with privileged access to sensitive data and systems.

·       Regular Updates and Patches: Keep software, operating systems, and firmware up to date by applying security patches and updates in a timely manner.

·       Backup and Recovery: Regularly backup critical data and systems, and test your recovery procedures to ensure business continuity in case of a cyber incident.

·       Network Segmentation: Implement network segmentation to limit the spread of potential attacks and reduce the risk of unauthorized access to sensitive information.

·       Incident Response Plan: Develop a robust incident response plan and regularly review and update it to ensure preparedness for potential cyber incidents.

·       Monitor and Review: Continuously monitor and review your cybersecurity measures, adjusting them as necessary to address evolving threats and technologies.

·       Collaborate and Share Information: Engage with industry partners, government agencies, and cybersecurity organizations to share threat intelligence and best practices to enhance your organization's security posture. 

While the “C” suite work on implementing the SEC's new cybersecurity rules across the organization, OT operators should take advantage of the catalyst for change. Operators should waste no time ensuring all assets, their criticality, vulnerabilities, configuration, and risks are fully visible and accurate. 

As always, I am available and open to connecting on LinkedIn and carrying on further discussions. 

About the author:

Mr. Liebig is a proven, recognized expert on IT/OT security management, Cybersecurity, and policy and privacy rights. His focus is on business enablement and value, integrating technology, people, policy, and processes. With over four decades in IT and OT, three of which are dedicated to Cybersecurity, Mr. Liebig commands a comprehensive understanding of the end-to-end, national, and international cybersecurity challenges in enterprises and critical infrastructure. His experience as the CISO for several multinational corporations and the head of MssP professional services for Critical Infrastructure has demonstrated excellence, incorporating corporate IT/OT and Cybersecurity, achieving business value, and strategic IT and OT roadmaps. Mr. Liebig is an adjunct professor at Washington University in St. Louis teaching master’s level SOC Operations.