Exploring the SEC's New Cybersecurity Risk Management and Incident Disclosure Rules (Part 2)

Navigating the SEC's Cybersecurity Rules and the Crucial Role of Integrity in Cybersecurity Threats and Incidents (Part 2 of 4)

As cyber threats grow in sophistication and frequency, regulators are stepping up their efforts to ensure that organizations are adequately prepared to mitigate these risks. The US Securities and Exchange Commission (SEC) has taken a significant step in this direction by introducing new cybersecurity risk management and incident disclosure rules. These rules emphasize the principles of confidentiality, integrity, and availability – collectively known as the CIA triad – as essential components of a robust cybersecurity strategy. This blog will explore the SEC's new rules and how integrity is incorporated into its fundamental principles.

Incorporating the CIA Triad

The CIA triad – confidentiality, integrity, and availability – has long been a cornerstone of information security. The CIA triad forms the foundation of security strategies and helps organizations assess and address risks to their information and systems. By considering these three principles, security professionals can create comprehensive security solutions that balance the need for protection against the practical requirements of data use and access.

Let's see how each principle aligns with the SEC's new rules as outlined in the Proposed 229 CFR 229.106(a) (Regulations S-K “Item 106(a)”) and the definition of a cybersecurity incident and cybersecurity threat.

• Confidentiality: The requirement for cybersecurity risk management programs addresses the confidentiality principle directly. Companies must establish measures and controls to protect sensitive information from unauthorized access, ensuring that customer data, trade secrets, and other valuable information remain confidential.
• Integrity: The incident disclosure component of the rules highlights the importance of maintaining the integrity of information. Companies must provide accurate and complete details about cybersecurity incidents to ensure investors have reliable information for decision-making.
• Availability: The emphasis on board oversight highlights the availability principle. Companies must ensure that resources, including systems, personnel, and funding, are available to implement and maintain effective cybersecurity risk management practices.

Cybersecurity Threats and Integrity

Cybersecurity threats encompass various malicious activities, from hacking attempts and data breaches to ransomware attacks and insider threats. Integrity is a foundational pillar in ensuring an organization's cybersecurity resilience amid this evolving threat landscape.

1. Trustworthiness: The integrity of an organization's systems, processes, and personnel directly influences its ability to fend off cyber threats. A culture of trustworthiness instills confidence in customers, investors, and partners, making it harder for threat actors to exploit vulnerabilities.
2. Secure Design and Implementation: Integrating integrity into the design and implementation of systems/software ensures they are resistant to tampering, unauthorized access, and manipulation. Secure software development practices like code integrity checks and strong encryption can thwart potential attacks.
3. Insider Threats: Integrity extends to personnel within an organization. Insider threats (intentional or unintentional) can have devastating consequences. Cultivating a culture of ethical behavior and accountability among employees can significantly mitigate the risk of insider-related breaches.

Cybersecurity Incidents and Integrity

Even the most robust and well-funded cybersecurity defenses will certainly have cybersecurity incidents. When incidents occur, integrity plays a pivotal role in how organizations detect, respond, recover, and learn from these events.

1. Transparency: Demonstrating integrity through transparent communication about the incident builds trust with stakeholders. Being forthcoming about the incident's impact, the steps taken to address it, and the measures implemented to prevent recurrence showcase the organization's commitment to cybersecurity and accountability.
2. Timely Detect & Response: Integrity shines through a timely and well-coordinated response to cybersecurity incidents. Swiftly containing the incident, notifying affected parties, and cooperating with regulatory bodies reflect an organization's dedication to minimizing damage and rectifying the situation.
3. Continuous Improvement: Cybersecurity incidents serve as learning opportunities. Integrating integrity into incident response involves conducting thorough post-incident analyses, identifying vulnerabilities, and implementing corrective actions. This commitment to improvement reinforces an organization's integrity-driven approach to cybersecurity.

Integrity management (aka System Integrity Assurance) is a fundamental aspect of information security that involves maintaining data and resources' accuracy, consistency, and reliability throughout its entire life cycle. Several security controls contribute to integrity management. Here are vital controls and functionality:

• Data Validation and Verification:
  • Input Validation: Ensuring that data entered into systems is correctly formatted and within expected ranges to prevent malicious input.
  • Data Verification: Using checksums, hashes, or digital signatures to confirm the integrity of transmitted or stored data.
• Configuration Management:
  • Baseline Configuration: Defining and maintaining a secure baseline configuration for systems and applications.
  • Configuration Change Monitoring: Tracking and reviewing configuration changes to prevent unauthorized modifications.
• Change Management:
  • Version Control: Managing changes to code, configurations, and other assets to track modifications and prevent unauthorized alterations.
  • Change Authorization: Implementing a workflow and processes to review, approve, and document changes before they are applied.
  • Change Prevention: Limiting the authority of who can and cannot make changes within an operating environment to prevent malicious or circumvented processes by hackers or unauthorized personnel.
• Backup and Recovery:
  • Regular Backups: Creating copies of data and resources to restore them in case of data loss or corruption.
  • Disaster Recovery Planning: Executing a process to quickly recover and restore data/service in the event of a disaster.
• Auditing and Logging:
  • Event Logging: Recording significant events and actions in a system to maintain a historical record for analysis and investigation.
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Monitoring network and system activities for unauthorized or anomalous behavior.
• File Integrity Monitoring (FIM):
  • Continuously monitor critical system files and configurations for unauthorized changes using a FIM tool.
• System Hardening:
  • Utilizing configuration best practices of CIS Benchmarks or DISA STIGs to establish a foundation or root of trust.
• Allow Listing Database:
  • Incorporating an allowlisting database (aka whitelisting), which provides irrefutable evidence and chain of custody relative to validating and verifying if a specific set of files was developed by known and trusted software developers/companies.
• STIX & TAXII Feeds:
  • Incorporating STIX/TAXII intelligence provides further evidence to help meet the SEC's objective of identifying cybersecurity threats.

These controls collectively contribute to maintaining the integrity of data, systems, and resources, reducing the risk of unauthorized or accidental modifications that could compromise the accuracy and trustworthiness of information.

CimTrak and the SEC Integrity Requirements

CimTrak incorporates all of these critical controls and functionality as defined by the new SEC rule. With its real-time monitoring, compliance auditing, configuration management, and incident response capabilities, CimTrak is the perfect solution for the SEC’s new cybersecurity risk management and incident disclosure rules.

Conclusion

The SEC's new cybersecurity risk management and incident disclosure rules significantly enhance cybersecurity practices within public companies. By incorporating the fundamental principles of integrity, these rules aim to create a more secure and transparent environment for investors and stakeholders. As businesses adapt to these new requirements, they will be better equipped to navigate and report cybersecurity threats and incidents and contribute to building a more trusted and resilient IT infrastructure. Learn how CimTrak can simplify and provide continuous compliance with this new rule by visiting   https://www.cimcor.com/cimtrak-integrity-suite.

Disclaimer: This blog article is only a brief summary of the new Cybersecurity Risk SEC rule and does not constitute legal advice. Should you encounter a situation that constitutes a Cybersecurity Incident or any matter touched upon in this article, you should consult with legal counsel having experience in this area of the law and not rely on the information provided in this article.