Cybersecurity compliance isn’t just a buzzword—it’s an evolution in corporate responsibility, especially with the SEC’s new rules that dictate how public organizations manage and report cyber risks and incidents.
Grant Thornton recently published an article titled: “SEC Heightens Urgency on Cybersecurity.” It summarizes the SEC’s new rules that went into effect in December and how they impact organizations from now on.
The new rules require organizations to sharpen their focus on transparency and governance frameworks. This is no minor administrative update, and adaptation is not optional.
Accurate, reliable data sits at the heart of compliance, and achieving that is no small feat. If your internal departments treat data sharing like a game of tag or your asset reporting reads more like fiction than fact, you’re looking at a compliance headache of epic proportions.
The Rules In Brief
In my role as an ITAM professional specializing in public sector organizations, the recent unveiling of the SEC’s compliance regulations directly impacts how I advise my clients. ITAM’s role in ensuring organizational strategy meets regulatory demands has become more critical than ever. Here are some excerpts from the Grant Thornton article and my thoughts:
“Companies need to be prepared to comply with the SEC’s rules, which focus on providing transparency to investors. An organization that has weak cybersecurity controls may pose more risk to investors, and a company with a substantial breach may experience reputational harm and loss of value.
To compel organizations to provide that transparency, the SEC is requiring that registrants disclose:
- Their board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material cybersecurity risks on an annual basis.
- Their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previously likely cybersecurity incidents on an annual basis.
- Any cybersecurity incident they deem to be material — as well as its scope, nature and timing — within four business days after determining that the incident is material.”
My Thoughts: Good money says most boards will stop with CISO and not ask about ITAM or SAM. And most CISOs will not offer up any cooperation with existing internal ITAM or SAM groups. It is a shame because when cybersecurity and ITAM are encouraged to work together, the organization can improve its cybersecurity and reduce its IT operational costs simultaneously!
The Board Of Directors
“The board of directors has the ultimate oversight of cybersecurity risks through board committees or subcommittees that are directly responsible on a regular basis to be kept abreast of changes in the cybersecurity risk situation and help guide the board in its oversight,” said Grant Thornton Managing Director for Cybersecurity and Privacy Services Max Kovalsky.
The final rule does not require boards to have a member with specific expertise in cybersecurity risk management, but Kovalsky said boards need to be educated on these risks to appropriately exercise their duties related to cybersecurity.”
My Thoughts: ITAM asset lifecycle management ensures the board can depend on accurate and trustworthy data because it describes how IT assets move through the organization and how to find IT assets that skip a step – which would signal a potential security risk.
The latest SEC regulations serve as a critical reminder that cybersecurity compliance is now a critical element of corporate governance. Public organizations must adapt to the changes to maintain investor trust and avoid the pitfalls of non-compliance. Accurate and reliable IT asset data ensures that your board of directors can fulfill their oversight duties with confidence.
I encourage you to set up a research call with me to uncover how the SEC standards are – and will be – affecting your organization. Let’s explore ways to strengthen your ITAM processes – and train your team to make the changes permanent.