First in July of 2023, and then amended in December, the U.S. Security and Exchange Commission’s latest regulations on cybersecurity disclosures added a new dynamic to enterprise security plans. Here, I’ll look to provide an overview of the guidelines, as well as the challenges and opportunities each aspect presents the industrial sector.
Before diving in, it’s important to note that SEC regulations obviously only pertain to publicly-traded companies. However, many in the industry see these guidelines as a potential template for legislative action that could expand the entities identified as critical infrastructure in the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The next step could expand this classification to include more manufacturing enterprises due to their link in critical supply chains.
If this comes to fruition, more manufacturers will need to introduce or enhance their cybersecurity plans to include the security assets and processes identified below.
The New Standard - Part I
The SEC’s final rule requires companies to disclose any material cybersecurity incidents within four business days, although certain exceptions do apply in cases of national defense or security. Part of this reporting includes a specific requirement for describing a company’s internal cybersecurity risk management policies, including the board of director’s role in overseeing these processes.
This information also needs to be included in the company’s Annual Report. These disclosures should include the nature and likely consequences of the breach on Form 8-K, as well as the timing and impact on the company – from both a financial and operational perspective.
What does this mean to the industrial sector: First, it’s not just about raising a red flag, but having a process in place for doing so. That means developing a way to share how a cyberattack was addressed and how overall cybersecurity is being managed. This is not a simple process, but will prove valuable for reasons that go beyond compliance.
Primarily, creating and implementing these processes will help dismiss the perspective of many in the industrial sector who feel they’re not a target due to the size, geography or product focus of their enterprise. Second, these plans demonstrate to all stakeholders, whether the connection is financial, legislative or supply chain-based, that threats are being addressed in an ongoing manner.
In addition to being a requirement, providing perspective on the potential impact of an attack will lead industrial organizations to obtain a better understanding of their own OT landscape. Guidance emanating from the SEC has obvious financial priorities, but being forced to detail operational impact will prove to be a huge opportunity. As more OT and IT assets continue to be implemented in leveraging the production and competitive efficiencies inherent to Industry 4.0 technologies, knowing about the security posture of all these assets, and the full extent of an attack on all of them, has been an ongoing challenge.
Forcing manufacturers to disclose information on cybersecurity policies will ensure that they actually have such policies in place. Mandating that they report on the impact should drive better awareness and overall cybersecurity posture.
The New Standard - Part II
This company must also disclose on its Annual Report whether the attack will have an impact on business strategy, including changes to internal structure, policies, procedures or technologies being implemented. Additionally, companies are required to disclose details on their cybersecurity risk assessment program. This includes describing how companies assess, identify, and manage cybersecurity threat risks and to what extent they rely on consultants or other parties outside of the company.
Finally, the rule requires a detailed description of the board’s role in overseeing cybersecurity risks, as well as executive management’s role in assessing and managing these threats. This would include any specific board committee or subcommittee that might oversee cybersecurity, and would be receiving regular updates from the company’s management or cybersecurity teams.
What does this mean to the industrial sector: Essentially, this means the SEC wants manufacturers to go beyond just planning for, detecting, and identifying threats, to focus on response and remediation as well. The reporting and accountability requirements should ensure top-down buy-in, which will benefit OT security teams when it comes to acquiring the necessary tools and manpower to stay on top of the latest threats and vulnerabilities. The structure mandated by these guidelines will also help broadcast the significance of cybersecurity - taking it beyond just an IT or OT issue to a non-siloed business priority that is, ideally, embraced throughout the organization.
The aspect of delving into details on the technologies utilized and other aspects of internal risk assessment has been a bit contentious. Basically, concerns were raised about sharing too much information on identification and remediation strategies, as that could be seen as tipping your hand to the hackers. The SEC responded to these concerns by modifying the requirements to state that specifics relating to response and remediation would not be required.
In other words, let everyone know you're doing something, even if you don't want to spell out your specific strategies. Disclosing the role played by third parties is also important, as it helps lend credence to response and remediation tactics, even if they remain somewhat vague.
These regulations represent the latest paradigm shift for the industrial sector. Just as changes in investment, structure and reporting were needed with expanded automation and software capabilities, cybersecurity transparency will call for similar pivots. Using these requirements, along with all the framework options and guidance from organizations like NIST and CISA, should make the industry collectively more secure.
By sharing information and providing more insight on these attacks with each other, we reduce the risks and impact of the supply chains, production capabilities and critical infrastructure we depend on every day.
