How Listed Companies Like Simpson Manufacturing can Establish Cybersecurity Good Governance in 2023
November 2023 by James Gerber, SimSpace
James Gerber, Chief Financial Officer of global Cybersecurity firm SimSpace, explains why increased cybersecurity regulation is coming, and how companies like Simpson Manufacturing can get ahead of it before it arrives.
Simpson Manufacturing, a NASDAQ-listed manufacturer of building and structural materials, as well as structural connectors and anchors, last month suffered a cyberattack that forced it to shut down its IT systems. This ultimately led to significant disruptions and loss of revenue. Manufacturers are often the least well equipped to deal with a cyber-attack, yet they are simultaneously the most exposed and vulnerable, leading to huge losses when their operations are disrupted.
Regulators have taken note that businesses like Simpson Manufacturing are fighting a losing battle against foreign and domestic cyber criminality, and by introducing stringent cybersecurity regulation, their focus is to ensure that companies treat cyberattacks as an increasingly systemic threat.
The SEC’s Cyber Disclosure Rules
Answering calls for stricter regulation, the U.S. Securities and Exchange Commission (SEC) in September passed new rules mandating that listed companies report cyber incidents within 96 hours. December 18th 2023 is the compliance deadline for companies, including foreign issuers, to make timely determinations about whether an attack under way may have a “material” effect on their enterprise. The rule requires that companies make those determinations “without unreasonable delay”, which means that disclosure teams must get involved in cyber incident response activities much earlier than before.
Companies will then have four days to inform core stakeholders such as investors, customers and regulators. In addition, publicly listed companies will also need to more thoroughly discuss the kinds of cybersecurity threats for which they have prepared, particularly the kind of severe ones that can have material impacts on the company. They will also have to discuss the approaches they have in place to minimize the effects of such events on the company’s business strategy, operations, or financial conditions. Although the compliance deadline is yet to pass, companies are already taking note, following the rules to show that they are transparent with their investors and stakeholders. Simpson Manufacturing are case in point, originally disclosing the cyber incident in an 8-K form filing to the SEC in line with the new regulations – despite the compliance deadline being months away.
As more and more companies comply, the effects of these rules on cyber practices are likely to echo the positive effects that the Sarbanes-Oxley (SOX) regulations had on financial reporting two decades ago. Most companies have long known what best practice for withstanding severe cyber events looks like. Like with SOX, the SEC’s cyber disclosure rules will help to foster greater adoption of these best practices across public reporting companies.
The Answer: Train and Test Your People, Processes, and Technology
Ultimately, companies need to take more proactive steps not only in protecting their critical infrastructure but also to practice defending it under severe circumstances, all the way through to the rapid and full restoration of systems after an attack has been contained. Best practice companies have been investing in advanced, military-grade cyber defense strategies like adopting a zero-trust approach and testing their people, processes and technology in simulated cyber range environments before an attack occurs. As cyber threats and attacks are becoming more common, sophisticated and damaging, developing a company’s cyber defence capability and stress testing capacity is key to mitigate risk.
NATO’s cyber defense teams and their counterparts in the US have long prepared to defend against nation-state attacks by training in advanced cyber ranges that replicate the real production IT and operational technology environments that that have to defend every day. Security teams are equipped with the same defensive tools, combatting the same tactics, techniques, and procedures implemented in high-profile attacks. Many leading publicly listed companies have followed suit with those best practices, and now, a broad cross section of listed companies need to take on the same best practice of military-grade protections. These best practice environments enable companies to explore and make sure their defenses are as good around key specialty systems, like the billing system that took down the Colonial Pipeline. This ability for companies to rehearse for the unfortunate eventuality that they are hit by a significant cyber event is also helping companies to integrate their financial and disclosure teams right into their incident processes to help them to work the early stages of their materiality determinations in parallel with the incident response teams to help them to make their determinations "without unreasonable delay.”
Similar early integration of legal teams is also helping best practice companies to have the right triggers so that companies can better utilize the national security exception to the rules which allows for a delay in filing their Form 8-K if it would pose a risk to national security.
Companies have long thought that traditional table-top exercises will be sufficient to prepare teams to timely and accurately respond to a severe cyber-attack, but occasions like the Simpson Manufacturing attack prove this not to be the case. Years ago, the US Air Force learned that the chances of survival went up substantially for a flier that had already successfully flown ten missions, so they created training environments so that their fliers could get that experience under actual severe circumstances before going into actual combat. Cyber Command in the US did the same thing as they stood up their cyber training exercises in 2010 and best practice companies do the same. They all want their teams practiced and regularly scored for effectiveness on high fidelity replicas of the actual production systems that they defend, so that their leadership will know that they can be successful on the day that the potentially material real cyber event occurs Ultimately, these companies adopt a model of continuous improvements to sustain performance as new threats emerge. Leadership feels more confident that their teams and tools will be able to withstand severe attacks and rapidly restore capabilities, and investors, regulators and insurers do too.
Although the material threats posed by nation state-backed groups have awoken many organizations to the systemic risk that attacks against any of our large, publicly traded companies pose, we need to remain vigilant in our war against cyber threat actors. In the upcoming year and with the advent of these new SEC cyber regulations, every public company CEO will be looking at unfortunate cases like Simpson Manufacturing and thinking about how to better prepare their organizations for the continuing cyberthreats.