Simon Jelley, General Manager for SaaS Protection, Endpoint and Backup Exec at Veritas Technologies.
Cyber resiliency refers to an organization’s ability to withstand and recover from cyber incidents, such as ransomware, that target critical or sensitive systems and data.
For almost as long as I can remember, enterprise technology experts have been banging on the cyber resiliency drum, encouraging business leaders to make it a top priority. We often speak of the consequences in terms of potential lost revenue as a result of system downtime combined with potential hard costs like system recovery.
But except for incidents that include loss of personally identifiable information covered by data privacy regulatory compliance laws, organizations typically don’t have to publicly report cyber incidents nor undergo outside scrutiny of their cyber resiliency practices.
That’s changing.
Cyber Resiliency Transparency Legislation
In July, the U.S. Securities and Exchange Commission (SEC) issued a ruling that will soon require all publicly traded companies to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.” These cybersecurity incidents must be reported within four days.
This is on top of the Strengthening American Cybersecurity Act—signed into law in March—that stipulates that any entities “that own or operate critical infrastructure must report cyber incidents and ransom payments within specified time frames.” Depending on the incident, that timeframe is 24 or 72 hours.
While these laws directly target public companies and critical infrastructure entities, privately held companies are not immune. Because public companies and critical infrastructure entities do business with other companies of all sizes, a cyberattack at any point in their supply chains could be considered “material.”
So, how do you address these new cyber resiliency transparency requirements?
Cyber Resiliency Transparency Best Practices
Consider the following steps:
• Conduct a cybersecurity risk analysis. You can’t protect what you don’t know. A thorough cybersecurity risk analysis involves reviewing your entire IT infrastructure to identify your critical assets and where and how attackers might seek to gain access to them.
• Implement additional protections where needed. Your cybersecurity risk analysis will highlight not only where you’re well defended, but where you’re not. Implement appropriate protections to close any chinks in your cyber resiliency armor.
• Put an incident response plan in place. As the old adage goes, failing to prepare is preparing to fail. Even with a thorough cybersecurity risk analysis and appropriate protections in place, being attacked is a matter of when, not if. You need to document the procedures and processes you will use to isolate threats and mitigate their effects. Many of the steps will need to be tailored to your specific business needs. It should also include who needs to be involved and provide contingencies for things like holidays, vacations and other unusual circumstances. And then you need to regularly practice executing these procedures and processes.
• Prepare your employees with cybersecurity training. Many cyberattacks start with phishing attempts to try to get employees to divulge information that could help an attacker compromise an enterprise’s systems. Teach employees how to spot phishing attempts and other threats. Encourage them to use strong passwords. Help them understand what seemingly innocuous daily routines they have, like perhaps using unauthorized web apps such as generative AI tools, that could put sensitive company information at risk.
• Pay special attention to the cloud. Don’t assume those operating the cloud services you subscribe to as part of your multicloud infrastructure are compliant with the required protection, resiliency and compliance capabilities. Many of these providers guarantee the capabilities of the service layer, but not your data. In other words, check the fine print of what your shared responsibility is.
• Establish cybersecurity reporting processes. As they say, those who do not learn from history are doomed to repeat it. By establishing robust IT reporting capabilities, especially for cybersecurity, incidents and associated responses are recorded and can be analyzed to spot mistakes. Plus, having these reporting capabilities in place now will make it easier to begin officially reporting cybersecurity incidents when it becomes required.
• Get used to sharing information. Don’t wait for the new SEC ruling to go into effect. Get used to proactively sharing information with the public now. Doing so will build trust among investors and customers and convey that you’re serious about cybersecurity.
Cyber Resiliency Missteps To Avoid
• Don’t wait until after an incident to make cyber resiliency a priority. Too many organizations underestimate their cyber risk until after they’ve had an incident that awakens them to reality. Act now, not later, on the above steps to avoid a costly lesson.
• Never assume you’re safe. Threat actors are incredibly innovative, and emerging technologies like generative AI are only increasing their ingenuity, dynamism and audacity. You’re never “done” with cyber resiliency just because you’ve undertaken the steps above. You must constantly evolve and improve your cyber resiliency posture by revisiting these steps often.
In conclusion, I, along with a chorus of others, have long advocated that every organization needs to continually improve its cyber resiliency readiness, including data protection. This advocacy has largely relied on would-be negative consequences. With the growing body of cyber resiliency-related legislation, it finally has some teeth. Follow the steps outlined here to make sure your organization is prepared to address these laws while avoiding missteps along the way.
The information provided here is not legal advice and does not purport to be a substitute for advice of counsel on any specific matter. For legal advice, you should consult with an attorney concerning your specific situation.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
