{"id":515184,"date":"2024-03-11T12:32:58","date_gmt":"2024-03-11T16:32:58","guid":{"rendered":"https:\/\/www.commvault.com\/?p=515184"},"modified":"2024-03-11T16:55:15","modified_gmt":"2024-03-11T20:55:15","slug":"cyber-resilience-balancing-security-and-transparency","status":"publish","type":"post","link":"https:\/\/www.commvault.com\/blogs\/cyber-resilience-balancing-security-and-transparency","title":{"rendered":"Cyber Resilience: Balancing Security and Transparency"},"content":{"rendered":"\n
\"\"<\/a><\/figure>\n\n\n\n

Companies in 2024 will adopt more proactive risk management strategies to not only attempt to thwart malicious threats and data breaches but also to successfully comply with the growing number of cybersecurity regulations.<\/p>\n\n\n\n

As the threat landscape expands significantly especially in this era of AI, the requirements for businesses to become transparent about security incidents and disclose attacks and breaches is increasing. These two realities will drive businesses to evolve cybersecurity strategies toward becoming cyber resilient.<\/p>\n\n\n\n

Why Cyber Resilience Now?<\/h4>\n\n\n\n

<\/a>Cyber resilience is coming to the forefront for many organizations around the global as regulators and legislators look to bolster transparency when it comes to cybersecurity events and preparedness.<\/a><\/p>\n\n\n\n

\u201cThey want corporate executives to articulate whether and how cybersecurity is part of the company\u2019s business strategy, governance processes, financial planning, and capital allocation,\u201d said Melissa Hathaway, president of Hathaway Global Strategies and chair of Commvault\u2019s Cyber Resilience Council, in our 7 Emerging Trends in Cyber Resilience<\/em><\/a> report.<\/p>\n\n\n\n

The SEC cybersecurity rule,<\/a> Information Security Registered Assessors Program (IRAP) in Australia, DORA in the EU, and even state-level rules like New York\u2019s Codes, Rules, and Regulations (23 NYCRR Part 500) are challenging companies to adopt transparency.<\/p>\n\n\n\n

Here we look at the existing and emerging regulatory requirements cybersecurity leaders must master to ensure the businesses they support achieve both compliance and cyber resilience.<\/p>\n\n\n\n

SEC<\/h4>\n\n\n\n

The recent SEC rule requires registrants to disclose material cybersecurity incidents. The effects of the rule create a need for security leaders and C-level executives to remain in lockstep when it comes to cybersecurity incidents and the reporting of such incidents. Furthermore, the SEC rule requires companies to articulate how cybersecurity and its oversight fits into their overall risk management program in their annual filings.<\/p>\n\n\n\n

\u201cWhether a company loses a factory in a fire \u2013 or millions of files in a cybersecurity incident \u2013 it maybe material to investors,\u201d SEC Chair Gary Gensler said in a statement<\/a>.<\/p>\n\n\n\n

Nearly a quarter of the way through 2024 there have been a smattering of 8-K filings with the SEC around cyber incidents, and companies with fiscal years that ended December 31 are starting to roll out 10-K statements with updated cyber resilience language.<\/p>\n\n\n\n

23 NYCRR Part 500 Regulation<\/h4>\n\n\n\n

The New York Department of Financial Services (NYDFS) created the Second Amendment to Chapter 23 of the New York Codes, Rules, and Regulations (23 NYCRR Part 500) to strengthen and protect information and financial systems against the increasing prevalence and sophistication of cyberattacks. The law requires NYDFS-covered financial institutions to implement and maintain a cybersecurity program that includes procedures designed to safeguard sensitive customer data from security threats and manage cyber risks.<\/p>\n\n\n\n

Among the requirements of 23 NYCRR 500 compliance are several goals that NYCRR 500-covered companies must work to satisfy. To start, it requires entities to establish and maintain a cybersecurity program designed to safeguards the confidentiality, integrity, and availability of their information technology systems. The program should manage risks in several operational areas, including information security, data governance, asset inventory, systems operations, systems and network security, customer data privacy, and more.<\/p>\n\n\n\n

The law requires companies to conduct penetration testing and vulnerability assessments. And the list goes on for covered entities<\/a>.<\/p>\n\n\n\n

DORA<\/h4>\n\n\n\n

Cybersecurity and business leaders also are keeping a close eye on the Digital Operational Resilience Act<\/a> (DORA) deadlines approaching.<\/p>\n\n\n\n

DORA entered into force January 16, 2023, with an implementation period of two years. Covered financial entities are expected to be compliant with the regulation by January 17, 2025. While the law is focused on organizations in the European Union (EU), entities outside the EU in the financial and Information Communication Technologies sectors must also work to align with DORA if they provide crucial ICT services to EU-based financial entities.<\/p>\n\n\n\n

DORA creates a regulatory framework<\/a> for digital operational resilience whereby all covered entities must work to withstand, respond to, and recover from ICT-related disruptions and threats. The law aims to attempt to prevent and mitigate cyber threats. DORA incorporates five key pillars that are as follows:<\/p>\n\n\n\n