SEC ruling on cybersecurity extends beyond publicly traded companies – part 2
Published by Christopher Pogue on 23 October 2023
Picking up on where Part 1 of this blog post left off last week, Part 2 explores how new SEC rulings on cybersecurity – set to come into effect in December – will affect privately held companies. A recent precedent set by the SEC in a ruling unrelated to cybersecurity may offer us some clues…
According to an article posted by Wiley Law on September 26, 2023 (emphasis mine):
“The SEC believes its investigative authority extends to virtually anything and anyone. While it may be more obvious that a private company selling securities — as broadly as that term is defined — can run into SEC regulation, the Monolith case demonstrates that the SEC does not limit its enforcement activities to private entities directly engaged in purchasing or selling securities.”
In fact, precedent was set on September 8, 2023, that privately held companies can be investigated and fined by the SEC. Monolith Resources, LLC, a privately-held 236-employee clean technology company based in Nebraska, was fined $225K for violating the SEC’s Dodd-Frank Whistleblower ruling.
Further, as stated in the Wiley article:
The National Institute of Standards and Technology (NIST) released its latest Cybersecurity Framework 2.0 on August 8, 2023, which now includes a section on corporate governance. Therefore, cybersecurity issues are directly related to environmental and social governance (ESG) reporting issues and are increasingly important to businesses from a compliance and governance standpoint.
With the Monolith case being ESG related, it sets an important precedent. Effectively, if the SEC can investigate and fine private companies for ESG and Whistleblower rule violations, there may be no reason to believe that they can’t do it for the cybersecurity ruling as well.
So, the question becomes: who will be the first privately held company affected and how much will they be fined?
The importance of cybersecurity in your organization
Part 1 of this blog looked at the new SEC ruling in the context of MGM’s recent cybersecurity incident.
The MGM breach was not sophisticated; it was a social engineering attack against help desk employees. This means that a large security budget, an internal security team and the restrictive GRC regimes that cover the hospitality and entertainment industries, were effectively circumvented.
Merritt Maxim, vice president, research director, security and risk at Forrester said:
“The MGM breach continues to demonstrate that for all the sophisticated security controls and technologies that organizations employ to defend themselves against hackers, the human element remains a vulnerable spot that attackers continue to target. Social engineering attacks are not new — attackers have increased the sophistication and target systems for social engineering, especially the multifactor authentication process.”
The defense of every aspect of an organization’s infrastructure is a complicated, daunting endeavor. As the MGM breach and countless others like it prove, this is not a simple IT issue, and you can’t just throw money at it and expect it to go away. For organization’s that choose to brave this path alone, or with a disunified collage of service providers, the likelihood of suffering a similar fate seems inescapable.
For these reasons now is the time for organizations to form strategic partnerships with providers that specialize, specifically in full-spectrum cybersecurity services. Organizations like CyberCX have teams of people who make it their life’s work to try and support CISOs, their needs and their requirements around what is becoming a complex and challenging area with a dearth of skills and heavy burden of workload.
In addition, the ability to retain inhouse talent, who have made learning a priority and kept current through training and education, is difficult. With so many organizations looking for top-tier cybersecurity professionals and wanting to have that talent on their internal teams, it puts security leaders in the unenviable position of being in an arms race trying to retain that talent.
When you have a skilled internal team and bring in fresh talent, the experience, capabilities and collaboration of a trusted partner can help enhance internal capabilities and train less experienced staff quickly. And, it can ease the pressure on CISOs introduced by the cybersecurity talent war that is being waged around the globe. Our team is always across the latest threats, always trained and educated on the latest tools and techniques and always ready to engage.
The faucet will continue to run, whether you have the people and the services and the capability to do the work; cybersecurity risk will continue. That’s why it’s so critical to manage that balance between internal staff and external trusted advisors, because of that operational risk that will occur. Let CyberCX help you reduce that risk and make the defense of your brand reputation, market position and revenue targets more attainable.