Will smaller companies fail to comply with SEC reporting requirements?

The SEC's new incident reporting requirements have raised numerous questions and concerns among security experts and government agencies.

One argument is that the requirements are identical to those of the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will create even more work for already resource-constrained cybersecurity teams.

Another reason is that not only is a four-day disclosure window too early to determine the impact, but publicly disclosing sensitive information about the data breach immediately after the breach could also attract malicious actors to exploit the vulnerability before it is fixed.

Opinions and speculation aside, the challenges real.

• Today, data flows between numerous companies, systems and subsidiaries, making it extremely difficult to distinguish between victims and perpetrators.
• Determining what “may be material to investors” is not always obvious and requires significant administrative effort.
• Building communication with senior management and the board of directors will become even more important and will require further education and training.

For a large company with a CISO and a full SOC team, this is a herculean task. Now imagine what it will be like for smaller companies with fewer resources.

Starting June 15, smaller businesses will now have to comply with the regulations just like large companies. These strict requirements could inadvertently penalize companies, stifle innovation and hinder their growth.

Will startups buckle under the pressure? That remains to be seen. But one thing is certain: if CISOs struggle, smaller companies will suffer too.

As a small organization, you can take the following steps to mitigate the impact.

Step 1: Familiarize yourself with the most important security frameworks

First, familiarize yourself with all the major frameworks. Fortunately, there are numerous resources that can help a company prepare.

• EU Directive on Network and Information Security v2 (NIS2): a directive that aims to achieve a high common level of cybersecurity across the European Union. It updates the original NIS Directive to address new threats and improve the security of network and information systems. NIS2 provides guidelines to ensure the security and resilience of critical infrastructures that are essential for organizations operating in the EU.
• NIST Cybersecurity Framework (CSF): a set of guidelines and best practices to help organizations manage and reduce cybersecurity risks. Widely used in the United States and internationally, it helps organizations align and prioritize their cybersecurity activities based on business needs and provides a common language for risk management.
• NIST Risk Management Framework (SP 800-53): This framework provides organizations with a process for managing security and privacy risks and provides a catalog of security and privacy controls for government information systems and organizations. It helps organizations implement a risk-based approach to security and ensures that controls are tailored to specific needs and risks.
• NIST Guidelines for Protecting Confidential Information (SP 800-171): This guideline provides requirements for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It helps organizations comply with federal regulations for protecting confidential information and reduce the risk of unauthorized access and disclosure.
• ISO/IEC 27000: A family of standards for information security management systems (ISMS), including ISO/IEC 27001, that specifies requirements for the establishment, implementation, maintenance and continuous improvement of an ISMS. It provides a comprehensive framework for managing information security risks and ensuring the security of information assets.
• Center for Internet Security (CIS) Critical Security Controls (CSC): The CIS CSC is a set of best practices for securing IT systems and data, including a set of prioritized measures to protect organizations and data from known cyberattack vectors. It helps organizations prioritize their security efforts by focusing on high-impact areas, thereby improving their overall security posture.

In addition, there are a number of global data protection frameworks such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the German Federal Data Protection Act (BDSG) and the South African Protection of Personal Information (POPI) Act. These serve to protect personal data by regulating how personally identifiable information (PII) is collected, processed and stored.

Step 2: Build a security team

Building a robust security program from scratch can be a daunting challenge, especially for smaller organizations with limited resources. However, with strategic planning and the right approach, it is possible to create a solid security foundation with minimal resources. Here are some quick and easy steps to create a security program:

• Put together a small SOC team. Hire an experienced security professional, an infrastructure security engineer, an application security engineer, and a compliance professional. These roles require experienced professionals who can create a security roadmap, prioritize tasks based on risk, and implement scalable processes. These team members should also be able to implement key elements of the security roadmap themselves.
• Get closer to the technology. If you aren't already closely aligned with your development team, start now. Engineers familiar with the product can identify security vulnerabilities and opportunities for improvement. This is critical to integrating secure practices throughout the software development lifecycle, incorporating penetration testing results, and adding customer-facing security features. While this is challenging at startups due to limited resources, demonstrating how early security measures save time can help gain the commitment needed.
• Automate, automate, automate. This may sound obvious, but look for simple ways automation can streamline security processes—from infrastructure monitoring and automated remediation to code analysis and vulnerability management. Automation enables startups to seamlessly integrate security into every process, which not only improves security but also saves development time.
• Try open source. While open source security tools eliminate the need for licensing fees, they require time to implement and configure. Startups with small teams may find it more beneficial to choose tools that can be deployed and managed by vendors, ensuring that security improvements are both practical and cost-effective.
• Cover the basics of risk and vulnerability management inMost breaches are related to known vulnerabilities and human error. Ensuring good visibility of the attack surface, scanning all assets, and maintaining appropriate SLAs for critical vulnerabilities are extremely important and this is where the greatest risk lies.

While there is no silver bullet, these regulations provide smaller companies with a starting point for understanding the new incident reporting rules. While the new requirements create pressure, they act as a driving force for the inevitable: building a solid security foundation.