Are You in Compliance?
As the digital age unfolds, we continue to see seismic increases — decade-to-decade, year-to-year, and even month-to-month — in the amount of data we create as well as its value to us, both individually and collectively.
From medical records, financial statements, and classified government documents to transactional processing systems, customer information, social media engagements, pictures of our pets, and so much more, data is the lifeblood of modern society. It defines our social and professional lives, drives our businesses, and sustains our economies and governments.
To withstand this ever-intensifying, open-fire-hydrant-like stream of information creation and exaltation, our IT systems have, naturally, been forced to grow in complexity. Today, zettabytes of life-altering, society-shifting data are sprawled across an overlapping, interlocking, occasionally-mangled web of technologies, systems, companies, partnerships, and industries. While this complexity is part and parcel to the digital life and world we’ve chosen — at least for now — it also leaves us vulnerable to threats, malicious or otherwise.
None of these trends are new, of course. They’re also not likely to change anytime soon. The blight of cybercrime, in particular, is expected to maintain a torrid pace, advancing in sum, sophistication, and severity in the months and years to come. The unfortunate truth is that the more data we create and the more intricate our systems become, the wider our “attack surface” is for threat actors to exploit.
For example, five years ago typical organizations used 16 SaaS apps. Today, they use 130, according to recent reporting. Furthermore, the software and firmware running our systems sit atop codebases that get more complex by the day, both in sheer size and dependency on third-party code. The original space shuttle’s code base had only 400,000 lines of code. Modern cars have 100 million lines of code. And that’s to say nothing of other looming threats, including rising socioeconomic and geopolitical tensions and extreme weather events.
Cause and Effect: Rising Risk and Regulation
Suddenly, it’s not a matter of if, but when, our defenses will be tested. This is borne out nearly every day, with news about data breaches and ransomware attacks making global headlines.
Just last week, a ransomware attack against Change Healthcare, a division within Optum, a subsidiary of UnitedHealth Group — have we mentioned IT complexity yet? — crippled pharmacies across the United States and caused serious disruptions in the delivery of prescription drugs nationwide, including some that are still ongoing. It appears that UnitedHealth has since paid its attackers, a group known as AlphV or BlackCat, a ransom of $22 million — an increasingly common outcome for attacks against healthcare systems because cybercriminals know providers ultimately have a duty to keep patients alive and well (and readily exploit that fact). Truly insidious.
It’s no wonder, then, that we are seeing a heightened focus on regulatory compliance and operational resilience, with more and more governments and regulatory bodies prioritizing, developing, and implementing updated cybersecurity rules and best practices. At their core, many of these frameworks are designed to foster a culture of cyber resilience — where our organizations are equipped with the strategies and tools needed to anticipate, prepare for, withstand, respond to, and recover from cyber risks and incidents. This is easier said than done, of course.
While advancing cyber resiliency competencies and promoting transparency, particularly for customers and investors (*hint* foreshadowing *hint*), is certainly in everyone’s best interests, the work it takes to understand and implement new regulations is challenging and sometimes downright confusing. Often, new regulations necessitate significant investments in cybersecurity infrastructure and resources, personnel training, and continuous monitoring systems, which can quickly leave IT leaders overwhelmed, overworked, and their organizations at risk.
Which, at last, brings us to today’s main course.
You Can’t Spell Cybersecurity Without S-E-C
While laws like GDPR in Europe and HIPAA in the U.S. have already impacted how we manage data, the nature of our ever-evolving information and threat landscape is prompting a new wave regulations intent on reshaping how organizations approach cybersecurity, privacy, and transparency around the world. For example, the Digital Operations and Resilience Act (DORA), an EU regulation aimed at how financial institutions prepare for and respond to ICT-related incidents, took effect in January of this year. (Side note: We’ll be covering DORA at greater length in the future, so stay tuned!)
However, the most pervasive and, certainly, most prominent cyber regulator to join the club is the U.S. Securities and Exchange Commission (SEC), which, last July, announced the adoption of its “rules on cybersecurity risk management, strategy, governance, and incident disclosure.” We’ll delve much deeper into these rules shortly, however, their SparkNotes summary is this: The SEC is now requiring publicly listed companies to disclose the occurrence of “material” cybersecurity incidents as well as make annual disclosures about their cybersecurity risk management, strategies, and governance.
Gary Gensler, current SEC chair, had this to say about the intention behind their new rules:
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Essentially, the SEC is trying to legislate a more proactive (and reactive) cyber resiliency mindset. It believes its organizations must not only prioritize their cybersecurity defenses, but must also ensure that they have processes for rapidly identifying and assessing the materiality of incidents. Basically, the SEC wants us to operate under the assumption that we will experience real threats or potential breaches, and be transparent once we do.
Exactly how prepared and how transparent, you ask? Well, that’s the (multi) million-dollar question.
New Rules on the Block: You’ve Got Questions
It’s clear why the SEC would want to implement more stringent regulation. However, it’s been more than two months since the rules officially took effect on Dec. 18, 2023, and many organizations still have valid critiques and questions about how their operations can (and will) be impacted moving forward.
Questions like:
- What is a “material” incident?
- How long do I really have to report an incident?
- To whom do these rules currently apply?
- To whom might they apply?
- What are the consequences of non-compliance?
- What should I do if my organization need assistance ensuring compliance and managing risk?
If that sounds familiar, you aren’t alone. In a recent report from AuditBoard, a vast majority of security leaders (81%) said that the SEC’s new cybersecurity rules will substantially impact their business, but only half (54%) were highly confident in their organization’s ability to comply with the disclosure ruling. Additionally, more than two-thirds of respondents (68%) said that the new SEC cybersecurity disclosure directives overwhelm them.
To all those feeling confused and overwhelmed, 11:11 Systems says: We feel ya.
New Rules on the Block: We’ve Got Answers
In the months since the announcement, 11:11’s consulting engineers and compliance experts have poured over every inch of the SEC’s cybersecurity rules.
It’s a process that is still, technically, ongoing — one that began by asking many of the same questions you did and one that continues to this day with regular discussion between our various teams and outside industry thought leaders. From the beginning, our goal has been simple: to understand — to the best of our ability — what these new rules actually require and then be able to communicate that information in a concise and actionable way.
Doing so, meant wading into the confusion and chaos.
“Whenever human beings are introduced to something new — no matter the thing, no matter the scale — it’s only natural for there to be an adjustment period,” said Michael Shandrowski, principal consultant at 11:11 Systems. “That’s exactly what we’re seeing with these new SEC cybersecurity rules. There’s been some typical, initial confusion, even a bit of chaos, as we all try to gain our bearings. We’re still in the thick of it right now, but the good news is it won’t last forever.”
Stay tuned for Part II of our mini-series on the SEC’s new cybersecurity rules, coming later this week. You’ll hear from Shandrowski, as well as other 11:11 experts, as they break down everything you need to know about the rules, including what they say, what they mean, the nuances and confusion surrounding specific requirements, and how 11:11 can help you maintain compliance and operational resilience.