{"id":21372,"date":"2023-03-01T09:01:02","date_gmt":"2023-03-01T17:01:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/01\/news-15103\/"},"modified":"2023-03-01T09:01:02","modified_gmt":"2023-03-01T17:01:02","slug":"news-15103","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/01\/news-15103\/","title":{"rendered":"SEC cyber risk management rule\u2014a security and compliance opportunity"},"content":{"rendered":"<p><strong>Credit to Author: Christine Barrett| Date: Wed, 01 Mar 2023 17:00:00 +0000<\/strong><\/p>\n<p>In my practice as a Microsoft Global Black Belt, I focus on the technical and business enablement aspects of protecting organizations from cyber threats with tools like <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-purview\">Microsoft Purview<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-sentinel\">Microsoft Sentinel<\/a>. In my role as a board member for another publicly traded company, the conversation is about creating value for our shareholders and managing risks in alignment with our business goals. Compliance is an important risk. Shifting gears and having the right conversations with the right stakeholders is critical to being effective, whatever your role.<\/p>\n<p>When I read the United States Securities and Exchange Commission (SEC) <a href=\"https:\/\/www.sec.gov\/news\/press-release\/2022-39\" target=\"_blank\" rel=\"noreferrer noopener\">proposed rules<\/a> on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, I saw an opportunity for cybersecurity professionals to add value to their organizations and to further their conversations with the board of directors. The proposed rule is on the Office of Management and Budget\u2019s regulatory calendar for April 2023.<sup>1<\/sup><\/p>\n<p>The information disclosed by companies under this rule would be submitted in eXtensible Business Reporting Language (XBRL) to be made broadly available to market participants for comparison, filtering, and analysis.<sup>2<\/sup> This is important to the board from both a compliance and a shareholder value perspective. It\u2019s an opportunity for a company to differentiate itself from competitors through its cultural and infrastructure investments in IT security.<\/p>\n<h2>Proposed SEC rule on cybersecurity risk management, strategy, governance, and incident disclosure<\/h2>\n<p>The March 9, 2022, SEC proposed rules<sup>3<\/sup> for publicly traded companies supplement the SEC\u2019s guidance of October 13, 2011,<sup>4<\/sup> and February 26, 2018,<sup>5<\/sup> regarding disclosure of cybersecurity breaches and incidents. It makes the requirements more comprehensive, including reporting on:<\/p>\n<ul>\n<li>Cybersecurity incidents and updating incidents previously reported.<\/li>\n<li>The company\u2019s policies and procedures for detecting and dealing with cybersecurity risks.<\/li>\n<li>Oversight of cybersecurity governance by the board of directors.<\/li>\n<li>Management\u2019s role and expertise in cybersecurity risk management, including policies, procedures, and strategy.<\/li>\n<li>Reporting on the board of director&#8217;s cybersecurity expertise.<\/li>\n<\/ul>\n<p>This would require the board to become more aware of and involved in the company\u2019s cyber risk posture. The chief information security officer (CISO) is best positioned to enable the board in this regard. The SEC guidance encourages the board to seat directors with cybersecurity expertise and perhaps stand up a cybersecurity committee.<\/p>\n<h2>Reporting of cybersecurity incidents<\/h2>\n<p>Reporting of cyber incidents including breaches is the focus of the existing SEC rules. The proposal expands this to require reporting within four business days of the date that the company determines it to be material. Included in the reporting is when the incident is discovered, if it is ongoing, the scope, if data was stolen or accessed, its effect on operations, and the status of remediation.<\/p>\n<p>The scope of reportable incidents would be expanded to include those smaller incidents, which, in the aggregate, become material.<\/p>\n<p>The term \u201cmaterial\u201d is defined as whether a reasonable shareholder would consider it important, leaving some room for interpretation.<\/p>\n<p>The proposal requires that the company update its reporting on an incident with any material changes in its quarterly or annual report.<\/p>\n<p>This makes it all the more important that companies have tools in place to prevent attacks and minimize time to detection, like Microsoft 365 Defender and Microsoft Sentinel. They need to minimize the impact of a breach.<sup>6<\/sup> A data breach may be reportable to regulators and customers or a minor incident dealt with by the security team. The company needs the tools, like <a href=\"https:\/\/www.microsoft.com\/security\/business\/risk-management\/microsoft-purview-audit\">Microsoft Purview Premium Audit<\/a>, to know which.<sup>7<\/sup> Without the right tools in place before the incident, a company may have to do more reporting to regulators and the marketplace than is necessary.<\/p>\n<h2>Disclosure of cybersecurity risk management, strategy, and governance<\/h2>\n<p>Companies would be required to disclose if they have a cybersecurity risk assessment program and to describe it. This includes how the company works with auditors, consultants, and other third parties.&nbsp; &nbsp;<\/p>\n<p>They would be required to describe how they protect, detect, and minimize the effects of cybersecurity incidents. They would describe their cybersecurity policies and procedures, including business continuity and disaster recovery. They would describe how they select, retain, and use third parties to enable these activities and also how cybersecurity considerations affect the selection of service providers. They would describe how past cybersecurity incidents have influenced these as lessons learned.<\/p>\n<p>How the selection of partners, including cloud service providers, affects the company\u2019s security posture would be communicated to the marketplace. The company needs information to assess this and ensure that the vendor is a good security partner throughout the relationship.<\/p>\n<p>Microsoft provides the <a href=\"https:\/\/servicetrust.microsoft.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">service trust portal<\/a> to give our customers the third-party assessments and evidence they need to make informed decisions and to support them during assessments and audits. We provide information for Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 customers to help comply with a wide range of global, regional, industry, and government regulations with our Microsoft compliance offerings documentation.<sup>8<\/sup> For customers to assess their compliance with more than 350 regulatory standards in Microsoft 365,<sup>9<\/sup> we offer <a href=\"https:\/\/www.microsoft.com\/security\/business\/risk-management\/microsoft-purview-compliance-manager\">Microsoft Purview Compliance Manager<\/a>.<sup>10<\/sup> For Azure customers, Microsoft provides the Regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds.<sup>11<\/sup><\/p>\n<p>Companies would be required to describe how cybersecurity incidents have or might in the future affect their operations and financial performance and how these risks are dealt with as part of the company\u2019s business planning.<\/p>\n<p>This aligns with corporate governance scoring that credits companies for the investment, planning, and expertise in IT security.<sup>12<\/sup> It provides an increased return on a company\u2019s cultural and infrastructure investments in IT security.<\/p>\n<h2>Disclosure regarding governance and the board of director&#8217;s cybersecurity expertise<\/h2>\n<p>Companies would disclose their cybersecurity governance including a description of both how the board and how management provide oversight, assess, and manage cybersecurity risk. They would describe management\u2019s cybersecurity expertise and role in cybersecurity for the company.<\/p>\n<p>Companies would disclose each board member with cybersecurity expertise and describe it under the proposed rule. The proposed rule is not prescriptive as to what constitutes expertise. It provides some examples such as experience in information security, policy, architecture, engineering, incident response, certifications, or degrees.<\/p>\n<p>This may encourage organizations to select directors with these skill sets. It may also encourage a company to stand up a cybersecurity committee within the board.<\/p>\n<p>This will likely mean that the CISO will be enabled to advocate for the needs of the information security program, and communicate the security posture and plans to an informed audience. It may provide opportunities for cybersecurity professionals to serve on boards.<\/p>\n<h2>Microsoft can help security teams meet this opportunity <\/h2>\n<p>Whatever the final content of the SEC rule, it will be an opportunity for the CISO to increase and highlight the value of the IT security function. It will expand the scope of their communications with the board. It will supplement the business case for investment in IT security. By making information on a company\u2019s cybersecurity posture and governance broadly available, stakeholders can make better-informed decisions about cyber risk. This helps transition IT security from a cost center to a business enabler where it belongs.<\/p>\n<p>Learn more about <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-purview\">Microsoft Purview<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-sentinel\">Microsoft Sentinel<\/a>.<\/p>\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security<\/a>) and Twitter (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<div style=\"height:51px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n<p><sup>1<\/sup><a href=\"https:\/\/www.reginfo.gov\/public\/do\/eAgendaViewRule?pubId=202210&amp;RIN=3235-AN15\" target=\"_blank\" rel=\"noreferrer noopener\">Regulatory calendar<\/a>, Office of Information and Regulatory Affairs. 2023.<\/p>\n<p><sup>2<\/sup><a href=\"https:\/\/www.xbrl.org\/the-standard\/what\/an-introduction-to-xbrl\/\" target=\"_blank\" rel=\"noreferrer noopener\">An Introduction to XBRL<\/a>, XBRL.org.<\/p>\n<p>3<a href=\"https:\/\/www.sec.gov\/rules\/proposed\/2022\/33-11038.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure<\/a>, SEC. March 9, 2022.<\/p>\n<p><sup>4<\/sup><a href=\"https:\/\/www.sec.gov\/divisions\/corpfin\/guidance\/cfguidance-topic2.htm\" target=\"_blank\" rel=\"noreferrer noopener\">CF Disclosure Guidance: Topic No. 2<\/a>, SEC. October 13, 2011.<\/p>\n<p><sup>5<\/sup><a href=\"https:\/\/www.sec.gov\/rules\/interp\/2018\/33-10459.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Commission Statement and Guidance on Public Company Cybersecurity Disclosures<\/a>, SEC. February 26, 2018.<\/p>\n<p><sup>6<\/sup><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/01\/06\/privacy-breaches-using-microsoft-365-advanced-audit-and-advanced-ediscovery-to-minimize-impact\/\">Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact<\/a>, Steve Vandenberg. January 6, 2021.<\/p>\n<p><sup>7<\/sup><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/compliance\/audit-solutions-overview?view=o365-worldwide#audit-premium\" target=\"_blank\" rel=\"noreferrer noopener\">Auditing solutions in Microsoft Purview<\/a>, Microsoft Learn. February 21, 2023.<\/p>\n<p><sup>8<\/sup><a href=\"https:\/\/learn.microsoft.com\/compliance\/regulatory\/offering-home\">Microsoft compliance offerings<\/a>, Microsoft Learn.<\/p>\n<p><sup>9<\/sup><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/compliance\/compliance-manager-templates-list?view=o365-worldwide\">Compliance Manager templates list<\/a>, Microsoft Learn. February 22, 2023.<\/p>\n<p><sup>10<\/sup><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/compliance\/compliance-manager?view=o365-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview Compliance Manager<\/a>, Microsoft Learn. February 22, 2023.<\/p>\n<p><sup>11<\/sup><a href=\"https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/update-regulatory-compliance-packages\" target=\"_blank\" rel=\"noreferrer noopener\">Customize the set of standards in your regulatory compliance dashboard<\/a>, Microsoft Learn. February 8, 2023.<\/p>\n<p><sup>12<\/sup><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/08\/it-security-an-opportunity-to-raise-corporate-governance-scores\/\">IT security: An opportunity to raise corporate governance scores<\/a>, Steve Vandenberg. August 8, 2022. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/01\/sec-cyber-risk-management-rule-a-security-and-compliance-opportunity\/\">SEC cyber risk management rule\u2014a security and compliance opportunity<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/01\/sec-cyber-risk-management-rule-a-security-and-compliance-opportunity\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christine Barrett| Date: Wed, 01 Mar 2023 17:00:00 +0000<\/strong><\/p>\n<p>The proposed Securities and Exchange Commission rule creates new reporting obligations for United States publicly traded companies to disclose cybersecurity incidents, risk management, policies, and governance. This blog describes how the rule is an opportunity for the IT security team to provide value to the company. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/01\/sec-cyber-risk-management-rule-a-security-and-compliance-opportunity\/\">SEC cyber risk management rule\u2014a security and compliance opportunity<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[12534,25159,4500,14715],"class_list":["post-21372","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-compliance","tag-compliance-series","tag-cybersecurity","tag-cybersecurity-policy"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21372"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21372\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21372"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}