Cyber Strategy

Cyber compliance is a hot topic in light of the new SEC rules going into effect at the end of this year. Many companies have waited to implement a program, but now is the time to focus and engage!

How to Create a Program 

In Top Cyber News Magazine, the August 2022 issue, I discussed “Effective Cyber Compliance” and the top steps to achieve an effective compliance program. In today’s global digital environment, a top priority is to protect sensitive proprietary information. It is equally important to protect consumers’ and partnering service providers’ data. This security expectation is now non-negotiable as data breaches skyrocket. Businesses must be secure and must demonstrate an active cybersecurity compliance program. Regulators, shareholders, and customers demand it.

If one thinks cyber compliance is expensive, try non-compliance.  

Costs:

According to IBM Security’s “The Cost of a Data Breach Report,” the global average cost of a data breach increased 2.6% from $4.24M in 2021 to $4.35M in 2022. This cost is the highest in history as reported in October 2022 by SecurityMagazine.com.

Regulations:

International, U.S., and state regulations, as well as third-party data sharing agreements, all mandate that businesses know what data they have, why they have it, if consent was given for the data, where the data is stored, who has access to the data, and why they have access. A strong data governance and protection plan makes business, ethical, and common sense.

Cyber compliance regulations are now being imposed to ensure a proper level of investment. Businesses must have visibility into their systems to proactively act, not just react.

On January 30, 2023, The Washington Post Cybersecurity 202 projected stricter regulation would be coming to include mandatory reporting and proper response plans. It is here! The SEC rules were approved on July 26, 2023, with an effective date of December 2023 for public companies, with a 2024 date for small businesses. Companies must have a program and warrant that is active and invested at the level necessary to protect the sensitivity or criticality of the data transiting their systems.

Case Study:

One simple example of the cost of non-compliance is that the State of New York fined an online clothing retailer $1.9 million.  Zoetop, owner of fashion brands SHEIN and ROMWE, was fined for failure to accurately and timely report a breach affecting 39 million customers.

According to CyberSecurityHub, this fine is in addition to lost revenue, reputation, and the remedial costs the business had to take, including follow-on State mandatory reporting.  Now with the 2023 SEC rule, what is under potential review will be the Board and management’s engagement in the cybersecurity program oversight. Yes, this is a new liability exposure for directors and senior leaders.  

Bottom Line

Don’t wait to invest in a cybersecurity and data governance program that includes specific, documented oversight mechanisms. The high costs of insecure cyber practices and/or immature reporting processes that may not pass a rigorous compliance review could signal the end when an unexpected breach happens. Focus on program integrity and resiliency now to be prepared and to prosper.