Trusted news and views on cybersecurity

What do you see as the biggest challenge presented by the new SEC cybersecurity disclosure requirements?

I think there are two big challenges for organizations. The first is the additional layer of visibility to investors—specifically, what companies are doing related to cyber incident response, cyber risk management, and governance overall for the enterprise. The second is accountability. These are things that many enterprises should be doing anyway. But now there are more ramifications from a regulatory standpoint.

How are the new rules shaking up current cybersecurity practices on a larger scale? 

The landscape is changing practices, as well as the disclosure of those practices. It's previously never been a requirement for publicly traded companies to disclose certain things about their cybersecurity program and who is responsible for what. It's a new world that's constantly evolving with new regulations coming out frequently. I don't see this trend slowing down—rather, it may continue, especially for what are historically unregulated industries.

What training or information might organizations need to comply with the new rule?

Well, there is guidance from the SEC out there, but it may not always be clear how much information should be disclosed and in what way. This is one of the reasons why Deloitte is pulled in to help clients navigate these issues. We've been conducting a series of SEC readiness assessments with our clients to line up the SEC rules against their existing processes, roles, and responsibilities. We evaluate their current incident response plans to determine where gaps might exist and help them develop a road map for refinements so they can be ready not if a cyber incident happens, but when.

What role should the board of directors play in ensuring compliance with the new SEC ruling?

The role of the board with cyber risk oversight has evolved since cybersecurity is now one of the top three issues in the boardroom. It’s also identified as one of the top three risks from an enterprise risk and management perspective. Inevitably, one of the primary responsibilities of the board is around risk governance and oversight. It's important for directors to have a much clearer understanding of what cyber risk means for the business, and as a result, get a little bit better educated about cybersecurity. The other role is making sure there's alignment on a company's cyber risk appetite and that the right investments are made to get to the right level of cyber risk tolerance.

What emerging cybersecurity trends should we be most concerned about?

The topic that tends to come up in board rooms or management meetings is “Talk to me about the latest threats and trends around AI." Of course, we can and do talk about the latest trends and insights on the more sexy or hot topics, but the unfortunate thing is that bad actors are still leveraging relatively unsophisticated techniques like social engineering to wreak major havoc on companies. It doesn't take a lot, unfortunately, for a very successful ransomware attack to be initiated with social engineering, phishing email, and the like. It's important to know the fundamentals and controls needed from a defense-in-depth perspective that can also prevent the more mundane but very effective threats.