Cyber Resilience: Balancing Security and Transparency

Companies in 2024 will adopt more proactive risk management strategies to not only attempt to thwart malicious threats and data breaches but also to successfully comply with the growing number of cybersecurity regulations.

As the threat landscape expands significantly especially in this era of AI, the requirements for businesses to become transparent about security incidents and disclose attacks and breaches is increasing. These two realities will drive businesses to evolve cybersecurity strategies toward becoming cyber resilient.

Why Cyber Resilience Now?

Cyber resilience is coming to the forefront for many organizations around the global as regulators and legislators look to bolster transparency when it comes to cybersecurity events and preparedness.

“They want corporate executives to articulate whether and how cybersecurity is part of the company’s business strategy, governance processes, financial planning, and capital allocation,” said Melissa Hathaway, president of Hathaway Global Strategies and chair of Commvault’s Cyber Resilience Council, in our 7 Emerging Trends in Cyber Resilience report.

The SEC cybersecurity rule, Information Security Registered Assessors Program (IRAP) in Australia, DORA in the EU, and even state-level rules like New York’s Codes, Rules, and Regulations (23 NYCRR Part 500) are challenging companies to adopt transparency.

Here we look at the existing and emerging regulatory requirements cybersecurity leaders must master to ensure the businesses they support achieve both compliance and cyber resilience.

SEC

The recent SEC rule requires registrants to disclose material cybersecurity incidents. The effects of the rule create a need for security leaders and C-level executives to remain in lockstep when it comes to cybersecurity incidents and the reporting of such incidents. Furthermore, the SEC rule requires companies to articulate how cybersecurity and its oversight fits into their overall risk management program in their annual filings.

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it maybe material to investors,” SEC Chair Gary Gensler said in a statement.

Nearly a quarter of the way through 2024 there have been a smattering of 8-K filings with the SEC around cyber incidents, and companies with fiscal years that ended December 31 are starting to roll out 10-K statements with updated cyber resilience language.

23 NYCRR Part 500 Regulation

The New York Department of Financial Services (NYDFS) created the Second Amendment to Chapter 23 of the New York Codes, Rules, and Regulations (23 NYCRR Part 500) to strengthen and protect information and financial systems against the increasing prevalence and sophistication of cyberattacks. The law requires NYDFS-covered financial institutions to implement and maintain a cybersecurity program that includes procedures designed to safeguard sensitive customer data from security threats and manage cyber risks.

Among the requirements of 23 NYCRR 500 compliance are several goals that NYCRR 500-covered companies must work to satisfy. To start, it requires entities to establish and maintain a cybersecurity program designed to safeguards the confidentiality, integrity, and availability of their information technology systems. The program should manage risks in several operational areas, including information security, data governance, asset inventory, systems operations, systems and network security, customer data privacy, and more.

The law requires companies to conduct penetration testing and vulnerability assessments. And the list goes on for covered entities.

DORA

Cybersecurity and business leaders also are keeping a close eye on the Digital Operational Resilience Act (DORA) deadlines approaching.

DORA entered into force January 16, 2023, with an implementation period of two years. Covered financial entities are expected to be compliant with the regulation by January 17, 2025. While the law is focused on organizations in the European Union (EU), entities outside the EU in the financial and Information Communication Technologies sectors must also work to align with DORA if they provide crucial ICT services to EU-based financial entities.

DORA creates a regulatory framework for digital operational resilience whereby all covered entities must work to withstand, respond to, and recover from ICT-related disruptions and threats. The law aims to attempt to prevent and mitigate cyber threats. DORA incorporates five key pillars that are as follows:

• ICT- risk management
• ICT-related incident reporting
• Digital operational resilience testing
• ICT third-party risk
• Information sharing

DORA looks to improve the resilience of critical digital infrastructure against cybersecurity threats and attacks. By aligning with the tenets of DORA, organizations are closer to improving their cyber resilience profile.

Become Cyber Resilient

If the ever-expanding threat landscape isn’t enough to drive home the need to become cyber resilient, the flurry of new regulations is hammering the point. Businesses must understand what is required of them in terms of reporting.

For many businesses, aligning with myriad regulations will demand cybersecurity knowledge goes beyond the CISO across the organization. That means security leaders must work with C-level executives and the board toward transparency and cyber resilience.

For more information on how Commvault Cloud can help your organization’s cyber resilience journey, visit: https://www.commvault.com/platform.

---