What the SEC Cybersecurity Regulations Mean for Manufacturing | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

First in July of 2023, and then amended in December, the U.S. Security and Exchange Commission’s latest regulations on cybersecurity disclosures added a new dynamic to enterprise security plans. Here, I’ll look to provide an overview of the guidelines and the challenges and opportunities each aspect presents the industrial sector.

Before diving in, it’s important to note that SEC regulations obviously only pertain to publicly-traded companies. However, many in the industry see these guidelines as a potential template for legislative action that could expand the entities identified as critical infrastructure in the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The next step could entail this classification to include more manufacturing enterprises due to their link in critical supply chains.

If this comes to fruition, more manufacturing, power generation and water treatment facilities will need to introduce or enhance their cybersecurity plans to include many of these same elements. 

The New Standard – Part I

The SEC’s final rule requires public companies to disclose any material cybersecurity incidents within four business days, although certain exceptions do apply in cases of national defense or security. Part of this reporting includes a specific requirement for describing a company’s internal cybersecurity risk management policies, including the board of director’s role in overseeing these processes. 

This information also needs to be included in the company’s Annual Report. These disclosures should include the nature and likely consequences of the breach on Form 8-K, as well as the timing and impact on the company – from both a financial and operational perspective. 

What does this mean to the industrial sector: First, it’s not just about raising a red flag, but having a process in place for doing so. That means developing a way to share how cyberattacks and overall cybersecurity is being addressed. This is not a simple process, but will be vital for a couple for reasons. 

Primarily, creating and implementing these processes will help break down the mentality of many in the industrial sector who feel they’re not a target due to the size, geography or product focus of their enterprise. Second, these plans demonstrate to all stakeholders, whether the connection is financial, supply chain-based or industry-adjacent, that threats are being addressed in an ongoing manner. 

In addition to being a requirement, providing perspective on the potential impact of an attack will lead industrial organizations to having a better understanding their OT landscape. Guidance emanating from the SEC has obvious financial priorities, but being forced to detail operational impact could prove to be a huge opportunity.

It will force organizations into obtaining a greater understanding of their OT attack surface. As more assets continue to be implemented in leveraging the production and competitive efficiencies inherent to associated technologies, knowing the full extent of an attack on all these assets has been an ongoing challenge. 

The New Standard – Part II

This company must also disclose on its Annual Report whether the attack will have an impact on business strategy, including changes to internal structure, policies, procedures or technologies being implemented. Additionally, companies are required to disclose details on their cybersecurity risk assessment program. This includes describing how companies assess, identify, and manage cybersecurity threat risks and to what extent they rely on consultants or other parties outside of the company.

Finally, the rule requires a detailed description of the board’s role in overseeing cybersecurity risks, as well as executive management’s role in assessing and managing these threats. This would include any specific board committee or subcommittee that might oversee cybersecurity that would be receiving regular updates from the company’s management or cybersecurity teams. 

What does this mean to the industrial sector: It means more that cybersecurity goes beyond planning for, detecting and identifying threats, but focusing on response and remediation as well.


Progress on Remediation: Commenters expressed concerns about the requirement to disclose progress on remediation, noting that such information could expose them to more attacks. Some suggested that no updates should be required until remediation is sufficiently complete. These comments were considered in the final rule, leading to modifications in the disclosure requirements, which remove the disclosure requirement on remediation status and clarifies that specific technical information about the planned response isn’t required in the disclosure.

A third nuance is the requirement to disclose the company’s use of third-party service providers in managing cybersecurity risks. This requirement recognizes the significant role that third-party service providers often play in a company’s cybersecurity risk management and the potential risks associated with these providers. The Final Rules note that the SEC believes it is essential for investors to know a registrant’s level of in-house versus outsourced cybersecurity capacity, as this information is necessary for investors to assess a company’s cybersecurity risk profile in making investment decisions.


Click Here For The Original Source.

National Cyber Security