What is the SEC 10-K Item 106 Regulation?
The new SEC disclosure requirements require public companies to provide evidence of Cybersecurity Risk Management & Strategy and Cybersecurity Governance.
The recent ruling requires registrants to disclose material cybersecurity incidents they experience and to annually disclose material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. The Board of Directors, CEO, and CISO have even greater accountability to ensure clear evidence of the security controls that are in place due to the overall Cyber Risk Management Strategy and Governance.
Why do enterprises need to think differently?
There is a whole lot of security reporting that exists today; however, what needs to be addressed is consistency, comparability, and decision-usefulness of the reporting. The SEC 106 ruling points to the need for enterprise-wide Cyber Security Risk Management, Strategy, and Governance that is useful as decisive, evidence-based, and the impact of the actions taken is measurable. To meet this requirement, enterprises need a measure of their security control effectiveness that helps them assess and identify risks, monitor responses to those risks, and provide BoD with a rich context that is explainable and has an operational view of how cyber resilient the enterprise is.
For effective security controls with decision-usefulness, security teams must be able to answer the following questions with evidence:
- How fast does risk arrive?
- How long does risk survive?
- How fast are we getting rid of risk?
- How frequently do we get extreme vulnerabilities?
- How much risk is moving from the dev to prod?
Additionally, security teams want more than just information on the threats that have happened; they also require insights into the current risks within the environment.
While the ongoing investment in security tools helps improve defenses against a specific threat, it also results in blindspots caused by security data silos, leaving enterprises vulnerable to attacks. This makes the task of enforcing security controls very complex.
How to meet SEC 106 requirements?
To meet SEC 106 requirements, the journey begins with Security ETL, which is not tied to a vendor-specific schema so enterprises can avoid vendor lock-in and choose the best-of-the-breed tools for their cyber defense. Schema-less approach to data aggregation and normalization, along with a genAI-led framework, can help organizations establish their security control effectiveness index to assess, prioritize, and remediate with a line of sight to SLA and accountability across the organization.
Consider this analogy: If you left your door unlocked, leading to a robbery, the unlocked door would be a risk, and the robbery would be an incident. Cybersecurity functions similarly. The SEC will now require that companies promptly and responsibly disclose information about threats and incidents, recognizing that cybersecurity risk is inherently a business risk.
Why be reactive and continually respond to robberies? Isn’t it preferable for enterprises to ensure that their doors remain locked, especially when protecting something as valuable as a safe?
Addressing incidents is challenging, stressful, and potentially damaging to a business. The upstream problem of resolving risks should be tackled to prevent incidents in the first place.
However, that’s easier said than done, considering teams are inundated with millions of various risks (infra, app, host, etc.) with no context. Existing scanners are disparate and uncoordinated data silos.
Dassana solves this issue by running on customers’ Snowflake, which serves as the security data lake. Dassana can triangulate data from your favorite security tools or work with data you already have in Snowflake via Dassana’s connectorless genAI engine.
By processing and classifying all data into fundamental security categories (assets, findings, events, and users), Dassana uses ML to add explainable context to the risks in the system – exploitability, reachability, and business context.
Dassana helps organizations stay proactive by providing insights into new trending vulnerabilities to assure stakeholders that not only is there visibility into the risks, but there’s also a mitigation plan in progress.
By looking at risk and incidents from a macro perspective, Dassana enables a data-driven reality. Unlike traditional risk scores, which suddenly drop overnight when a new 0-day vulnerability is out in the wild, Dassana examines security behavior. This approach is akin to credit scores, where you don’t get penalized for a large purchase if you pay your bills on time. It looks at behavioral patterns over time.
Measuring security behavior aligns risk management with business operations, making it a more resilient and responsive metric. It evaluates the organization’s agility in dealing with potential threats and the effectiveness of the mitigation strategies, offering insights that go beyond mere numbers.
This is what security control effectiveness is all about. It’s not just a report; it’s a journey to Cyber Resilience as the point of arrival. By systematically understanding your risks, incidents, behavior, and processes, Dassana brings all these factors into the Security Control Effectiveness Index (SCEI). This index offers a clear numerical representation of an organization’s cybersecurity posture, encapsulating current states and proactive strategies.
The SCEI is more than a metric; it’s a holistic view that provides actionable insights. It streamlines the complex cybersecurity landscape into a manageable figure, enabling confident evaluation and improvement.
By employing the SCEI, we’re not only quantifying individual, organizational risks but also creating a network that transcends the boundaries of isolated organizations. This collaborative approach allows for peer benchmarking, where organizations work together to share threat intel, insights, and best practices. By actively comparing and contrasting security strategies, Dassana’s Security Exchange Consortium (SEC – pun intended) members can identify opportunities for improvement and recognize excellence within the community.
This shared wisdom and collaborative analysis enable the creation of a collective defense mechanism where the security knowledge and success of one can benefit all. This networked security community acts as a living ecosystem, constantly evolving, learning from one another, and jointly raising the bar for cybersecurity standards.
The openness in sharing information and the spirit of cooperation ensures that no organization is isolated in its cybersecurity endeavors. Instead, they are part of a greater collective leveraging shared intelligence to better arm each other against evolving threats.
Through the SCEI and our cooperative efforts, we aim to make the world a safer place, going beyond mere numbers and metrics to create a future where security isn’t just a solitary pursuit but a shared responsibility and achievement.