Cybersecurity in Banking & Beyond

SEC’s Rule 106 Creates Confusion Instead of Standards

November 7, 2023 By Stel Valavanis

SEC’s Rule 106 Creates Confusion Instead of Standards
-Stel Valavanis

One of the main purposes of the SEC is to ensure that the investing public receives all the information they can and should have to make informed investments. As technology and business practices evolve, so too must the SEC and their latest attempt to adapt to changing times has led to new SEC rules involving cybersecurity and cyber operations. New SEC regulations that went into effect on September 6th (with compliance reporting to begin 90 days later, this December), garnered much attention and comment while they were under consideration and revision, and have continued to be examined since. The SEC, in responding to comments made during the consideration process for amendments to the rules, did listen to the critics of the new rules, citing their concerns that overly prescriptive laws would dictate cyber security operation, and removed many aspects of the proposed law that touched on requirements. However, by specifying aspects of the operation, the “processes” and the degree to which those processes influence other board-level decisions, the SEC merely creates a hazy set of standards by which companies will attempt to comply and will use as a template by which to make their cyber security operation “public facing”.

Much of the attention around this new set of SEC rules has focused on the breach disclosure rules, but another new regulation that will affect all SEC registrants is being mostly ignored by media and thought leaders. New Regulation S-K item 106 will require registrant organizations to “describe their processes” for assessing, identifying, and managing cyber risk. By asking for descriptions of “processes” rather than policies and procedures, the SEC is attempting to walk the line between requiring enough information to satisfy the investing public, but not so much that it can aid threat actors. Organizations will need to account for the public nature of the information divulged in their cybersecurity and public relations strategy, and this new reporting requirement will have a direct effect on cyber operations.

The SEC can avoid being prescriptive in their reporting requirements, but any requirement to report can and will have the effect of setting a standard. If a question is asked on a form, there will be answers that are favorable, or at least acceptable, to the public, even if only answered in the affirmative (or negative). Cyber operations will be tailored to make sure that the reporting to the SEC gives a favorable impression to the investing public. Security operations will be driven by the optics of what their operation is reporting and this will create a competition of security theater, rather than security. While changes to cybersecurity regulation can help raise the level of maturity across the industry and encourage best practices, they can also leave gaps and create new problems outside of cybersecurity operations.
Another aspect of the rule will now require registrants to disclose the role their board takes in making cybersecurity decisions and management. Boards will be expected to be taking an active role in this part of their organization and the reporting will show their involvement (or lack thereof). To meet this new expectation, organizations will want to show that their board is aware of and managing cyber risk and must establish a process by which the board is informed. This can take the form of briefs from the cybersecurity team or updates from the CISO, or something else, as it is not prescribed, but will be reported.

While this changing situation may cause confusion for the near future, working through the complications of regulating cybersecurity will ultimately make us all more secure. The hazy set of standards that will be created, and then tested against practice and public opinion, will likely lead to clearer rules and regulations in the future, as the trials and errors that occur will enrich the conversation had between public and private entities on the changing role of cybersecurity in business.

onSecurity – Leading with Cybersecurity

November 18, 2022 By Josh Eklow

Episode 11: Leading with Cybersecurity

onShore Security’s podcast, onSecurity, explores a variety of topics in the cybersecurity field. Cybersecurity practice is typically the territory of experts in the field, but for large organizations, cybersecurity is a board-level concern and should factor into decisions in every department, from security and risk to marketing and customer experience.

Cybersecurity can seem a big obstacle and is a large source of risk for the unaware or ill-prepared, but for those leading with cybersecurity, it offers a new way to think about every part of your organization, at every level.

For our eleventh episode, Robert Barr joins onSecurity to discuss the importance of cybersecurity awareness at the board level and the work that the Private Directors Association is doing with their new Cybersecurity Governance Committee to ensure that leaders have the understanding and knowledge needed to make big decisions.

onSecurity – Governance, Risk, and Compliance

November 4, 2022 By Josh Eklow

Episode 9: Governance, Risk, and Compliance

At the Enterprise level, many discussions and decisions about cybersecurity and IT focus on the operational capability of the organization and bad actors that may interfere. As cyber operations become a larger part of business operations as a whole, organizations now must also consider regulatory compliance or risk losing the ability to operate and even face potential damaging liability.

Chris Johnson, Sr. Director of Cybersecurity Programs at CompTIA ISAO, joins onSecurity to discuss the importance of GRC – governance, risk, and compliance. Though implementation of GRC in an organization may offer some hurdles, this work raises the cybersecurity posture of an organization, making them better able to prevent and resist cyberattacks, as well as comply with regulations, allowing them to continue the work they do and expand into new opportunities.

onShore Security CEO Stel Valavanis to Join PDA Cybersecurity Committee

August 18, 2022 By Josh Eklow

Cyberleader and CEO of onShore Security Stel Valavanis has been asked to join the cybersecurity committee of the Private Directors Association, a national non-profit business association with more than 3000 members, including executive board members, company owners, officers of family-owned businesses and more. Its mission is to advocate for and teach board formation and governance and to create a network of business owners and leaders. One of the fastest growing areas of the organization is the cybersecurity leadership team, offering education such as webinars and white papers, as well as offering guidance in long-term strategic planning to improve security posture.

This collaboration will further allow Stel and onShore Security to promote cybersecurity awareness and education at the board level, allowing boards to make better informed and forward-looking decisions regarding security. This understanding is vital not only to improve the value and performance of board members but also to make it clear that security affects every part of an organization and that it should be a board-level concern.

As Stel prepares to join the board, he looks forward to adding his experience and vision to those already working to achieve the forward-thinking goals of the organization. Stel says, “I joined PDA as a member, realizing the need for board development from the various boards I sit on where my cybersecurity background has been valuable. But PDA has a bigger vision, one that provides tools and support on many levels. The opportunity to have an impact is tremendous because the gap in cybersecurity is big. The assembled committee is impressive, making my participation even more of an honor.”

Robert Barr, Co-Chair of the Cybersecurity Committee and Enterprise Strategy Director of Oracle, says, “The Private Directors Association National Cybersecurity Committee is better enabling private company boards to create short and long-term value in tomorrow’s economy while strategically mitigating key risks and driving to healthier margins. We are pleased to welcome Stel aboard.”

For more information about The Private Directors Association, please visit their website.

onSecurity – Compliance and Security

June 23, 2022 By Josh Eklow

Episode 1: Compliance and Security

onShore Security CTO Steven Kent joins Stel to discuss the intersection of compliance and security. As the author of an oft-cited saying at onShore, “security is a process, not a product”, Steven Kent is the reason that onShore has been able to satisfy the complex needs of clients in the banking industry.