By Mark Lanterman
In December 2023, the U.S. Securities and Exchange Commission (SEC) put into effect its new rules for cyber disclosures. In a statement, the purpose of the rules was described:
"In July of this year, the Commission adopted final rules that will require public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. These rules will provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors."1
Since the rules were announced, many organizations have been working to understand the new compliance requirements, especially in determining what types of events warrant disclosure. Even in the midst of actively responding to a cyberattack, upper management will now have to carefully consider when an event necessitates quick disclosure. The SEC has stated that no specific cybersecurity measures are mandatory, and organizations have the responsibility to determine for themselves how to best counteract risks. However, disclosure about individual, material incidents (as well as a yearly accounting of cyber risk and how it is being actively managed) is necessary.
Heading into 2024, it is wise for organizations to take stock of their security postures and set goals for the coming year. Whether it’s prompted by recently enacted requirements, or the knowledge of an ever-evolving threat landscape, a comprehensive cybersecurity review can help address gaps and inform subsequent assessments. The surge of artificial intelligence applications in 2023 (as both a tool and a new threat) has also led many organizations to review their existing policies and practices. From ensuring the appropriate use of ChatGPT by employees to being on alert for increasingly sophisticated spear-phishing campaigns, AI has tested cybersecurity postures.
This effect could soon extend to cyber insurance policies, as AI may begin to feature more prominently in risk profiles and underwriting. As I discussed in my previous article, “Social engineering or computer fraud? In cyber insurance, the difference matters” (October 2022), reviewing term definitions and asking the right questions ahead of time can be critical in understanding coverage. “To date, exclusions specific to AI have not yet been identified in the insurance market,” Reuters reported recently. “Nonetheless, in the event such exclusions or other coverage limitations begin to appear during placements and renewals—for example, exclusions for claims, losses, or damages that ‘arise out of’ or are ‘related to’ AI—such changes should be vigorously resisted by insureds.”2 The ubiquity of AI has increased both the sophistication and proliferation of cyber threats, including automation and advanced spear-phishing attacks.3 It is yet to be seen how AI will impact future cyber insurance policies, from the application process to claims.
Changing threats, increasing risks, and new requirements render a New Year cyber review smart, if not necessary. Move beyond your written policies; try to determine how practices on paper are being implemented on an everyday basis. One frequently forgotten area: data retention policies. An organization may have a well-written and detailed policy that specifies timelines, notification procedures, and destruction methods for different types of data. However, as is often the case with written cybersecurity policies, it comes to be more or less forgotten. As with any security measure, it is only useful when it’s actually enacted.
Or sometimes written data retention policies may be too vague to be actionable and might require reworking to fit current needs. Encryption policies, VPN usage, remote work environments, tabletop exercises for incident response activities, access control management, and third-party vendor relationships are all aspects of a cybersecurity posture that should be considered during an assessment. Training programs also need to be updated and assessed for efficacy, as many organizations have a “check-the-box” approach to education, with no retention testing or documentation of completion. Simple cybersecurity goals can make all the difference in 2024.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214
2 https://www.reuters.com/legal/legalindustry/lets-chat-about-ai-insurance-2023-10-24/
3 https://www.cnbc.com/2023/11/28/ai-like-chatgpt-is-creating-huge-increase-in-malicious-phishing-email.html