The SEC’s new cyber incident disclosure rules have sparked concerns regarding the readiness of public companies to define operational risk and disclose business risks related to cyber incidents. The concern is more in the context of industrial control systems and IoT infrastructure. These regulations require swift disclosure of significant cybersecurity incidents and annual reporting of cybersecurity risk management strategies. Persistent production disruptions due to cyber incidents highlight the urgency in addressing operational risks.
In the aftermath of such incidents, there is often unplanned downtime, extended manual operations and substantial financial costs. Identifying key assets crucial for business continuity allows security teams and executives to prioritize security measures including those related to operational technology (OT) and IoT systems. Creating a complete list and organizing these important assets is essential for finding the main reasons behind issues. It is learned that the security teams of public companies focusing on operational risk and identifying vital assets must meet three key objectives by December 15.
Key tasks include understanding operational risk and how it relates to importance criteria of companies, listing OT/IoT assets not covered by current IT security controls, and including these assessments in SEC reports for assessing material risks. In cybersecurity, the conventional reactive stance often favors risk avoidance, removing potential hazards. Risk mitigation, in contrast, accepts the inevitability of certain events and their potential impacts.
The SEC rule requires organizations to clarify how they empower security teams to understand, assess and mitigate material risk. Security teams managing OT and IoT assets often lack visibility, leaving room for unreported incidents and misconfigurations. Complex interdependent processes in companies operate around the clock and rely on equipment and communications. Incidents in IT or OT networks can lead to high-consequence events with cascading impacts.