One interesting implication of the SEC’s new rules applies to companies operating abroad, as long as they are registered in the US and appear on the stock exchange market.
This includes companies headquartered abroad but with operations in the United States, as well as companies headquartered here but with branches and subsidiaries in other countries.
Even though other countries may not have such a stringent cyber stance, they are required to follow the new rules and enhance their cybersecurity infrastructure. This is highly important because the world is now globalized and information exchange across borders is not seamless.
In the case of companies with global operations, incidents committed abroad could easily affect their US customers. So, multinationals need to ensure cybersecurity compliance across their organization and all subsidiaries. After all, a company’s cybersecurity is only as strong as its weakest link.
All is not perfect yet, though; the new regulations have elicited several questions and issues concerning how companies can ensure compliance. These are some of the major challenges that companies might face:
One issue that the new rules do not clarify but which is prominent is the question of how to define a material incident or what constitutes materiality once a cybersecurity incident has occurred. Companies have little guidance to follow when determining which incidents to report.
Given the level of disclosure required, leaders are worried about disclosing incidents without tipping off attackers. Surely, this is another dimension that cyber attackers will be exploring in advancing their threats.
Companies need to ensure that third-party entities including partners, suppliers, and vendors adhere to the same stringent cybersecurity standards even if those entities are not SEC registrants. Given the spat of third-party breaches these days, this is understandable.
The ultimate goal of the SEC’s new rules is to promote accountability regarding cybersecurity. As a startup, even if your company is not yet public, the rules contain insights that you can adopt in developing proactive strategies for combating cybersecurity threats in your organization.
For instance, you can start by implementing extensive and effective documentation of cybersecurity processes and incidents, upgrading cybersecurity to a board-level concern with strict top-down oversight, and implementing a continuous risk management approach