Founder and CEO of Balbix. Serves on the boards of several companies.
2023 was a tumultuous year for CISOs as the U.S. Securities and Exchange Commission’s (SEC’s) newly introduced cybersecurity rules are set to change the way organizations approach their cybersecurity health in 2024 and beyond.
With any new regulation comes great uncertainty and confusion for the individuals responsible and accountable for ensuring compliance. This is especially true for the SEC’s incoming rules, as this impacts the thousands of U.S. public companies as well as their CISOs and CEOs.
Here are four predictions on how the actions of the SEC will impact organizations and the role of the CISO in 2024.
1. The SEC will set a legal precedent for cybersecurity management.
With the SEC’s cybersecurity rules set to go into effect between December 2023 (for larger reporting companies) and June 2024 (for smaller reporting companies), uncertainty remains about how the rules will be enforced or what the fallout from a late-reported hack or breach looks like with the SEC at the helm of enforcement.
In 2024, we will see the SEC set a legal precedent for poor cybersecurity management and late material incident reporting. During this time, the SEC will also set a working, legal definition of “materiality” for organizations to operate with. This legal precedent will hold the CISO and CEO accountable with specific penalties for not following the rules. The SEC will litigate and attempt to secure tangible penalties. Once the legal precedent is set, this will likely set the tone for how regulations are enforced and how organizations move forward, knowing the consequences of disregarding the rules.
2. Cyber insurance policies will require good cyber risk management.
Cyber insurance has been a go-to for many organizations with an online presence or technology-based systems since the 2000s. As the cyber landscape continues to become increasingly more volatile for all organizations (not just the major players), cyber insurance policies will continue to evolve rapidly. Without strict risk and compliance management, more organizations will likely become uninsurable in 2024. For those organizations, it will be a wake-up call that their cyber health is not in good standing and is too much of a financial risk for insurers.
To mitigate losing cyber insurance policies or even getting good coverage, organizations must consistently reevaluate their cyber risk assessment and compliance standards to more accurately determine where their cyber shortfalls are. This is especially important for organizations that are working with reduced cyber budgets, as the cost of cyber insurance prices are rising 11% year-over-year.
3. The regulatory floodgates will open.
Following the legal precedent set by the SEC for cybersecurity incident reporting, we will see additional regulatory frameworks and compliance measures come from the federal government. This will be an even more likely reality if the SEC pursues legal action against multiple organizations for failing to meet the reporting timeline. If the SEC’s complaints are legally justified, this will provide a framework for additional offices within the federal government to introduce legislation or regulations that continue to hold organizations accountable for the data they lose to a bad actor.
At the state level, many states have their own legal framework for data breach reporting. If the legal precedent set by the SEC is successful, we may also see states start to further enforce their existing framework to better protect the sensitive information of their residents.
4. Cybersecurity regulations will shake up the C-suite outside of the financial sector.
A report by PwC found that only 30% of CISOs feel they get sufficient support from their CEO when it comes to managing cyber threats. Many CEOs often do not understand the impact of a cybersecurity incident until after it happens, as they pass the responsibility onto the CISO. When enforced federal regulation comes into the picture, the relationship between CEOs and CISOs will be forced to develop into a working partnership. This means there will be frequent conversations, greater honesty about cybersecurity and better organization-wide cyber alignment as they both work together to bolster their organization’s cyber health.
Organizations that take cybersecurity compliance seriously will also elevate outside CISOs or ex-CISOs to the board of directors. Adding a CISO to the board of directors not only shows an organization-wide commitment to prioritizing cybersecurity, but it also provides greater transparency on the organization’s overall cyber health.
The SEC’s regulatory framework for its cybersecurity rules solidified the federal government’s role in holding organizations accountable for the gaps in their cybersecurity plans. This federal presence will continue to be a hot topic amongst CEOs, CISOs and boards of directors as they look to navigate the growing regulatory landscape throughout the next year and beyond.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here