The U.S. Securities and Exchange Commission recently released revised cybersecurity guidance for publicly-traded companies. The guidance was approved unanimously by the commission on Tuesday, February 27. This is big news, especially if you're sitting in the C-suite at a publicly-traded company.
While the refined cybersecurity guidance includes many expected updates (particularly around risk disclosure and insider training policies), there are several important reinforcements:
- Disclosure - Companies must disclose security risks and incidents in a timely fashion.
- Insider Trading - Companies must enforce policies and procedures around insider trading that’s timed to cybersecurity incidents.
- Ongoing Responsibility - Companies must continually review risk factors, policies and procedures, and issue non-generic risk language whenever something changes.
Generally speaking, these updates should not be surprising. This is especially true in the wake of an increasingly sophisticated threat landscape and the sheer number of data breaches in the headlines daily. Still top of mind for everyone—the massive data breach at Equifax. More than 145 million people were compromised (current count as of 3/1), and it was disclosed that the incident had been known for far too long and was clouded by several questionable insider trading events.
Absent a major security breach, what exactly does the updated cybersecurity guidance mean for your business?
If your company uses any cloud applications (hint: the answer is yes, you do), then you might want to look closely at the updated guidance.
First and foremost, the guidance brings executive responsibility for security and risk in the spotlight.
Much like GDPR, this new SEC guidance puts the C-Suite further in the hot seat if you do not take extreme caution and diligence around all items related to data and cloud applications.
JOIN OUR WEBINAR - Everything you need to know about GDPR
At Meta SaaS, we believe discovery is the crucial first step in maintaining risk oversight. Discovery starts with knowing where your risks are as they relate to data or application use and accessibility. Sounds fairly simple, right? Not so fast. The biggest concern when it comes to regulations like GDPR and the SEC's updated cybersecurity guidance? The "you don't know what you don't know" can be the fastest path to destruction—and unsanctioned SaaS (also known as shadow IT or shadow SaaS) leads the way.
Research from the Everest Group shows that unsanctioned IT can comprise up to 50% of corporate IT spending—and that number is growing. We empower employees to purchase or use tools to boost productivity. But it quickly can spiral out of control with no IT oversight or approval. This poses a number of risks:
- Creates potential vulnerabilities and entry points for cyber criminals.
- Threatens your organization’s PCI compliance standing.
- Reduces your helpdesk team’s efficiency by introducing products they aren’t trained to troubleshoot.
- Makes it nearly impossible to track IT spending and manage SaaS renewals.
- Opens your organization up to losing important files and information when an employee leaves.
Given that shadow SaaS is an unknown, how can you accurately assess risk?
Here are four quick steps to get you started:
1 - Create a policy around technology purchases. Communicate that policy broadly and often to promote a centralized view of the company's expenditures and security risk.
2 - Offer an easy way to gather data on unsanctioned SaaS purchases. Online surveys work great in this scenario to gather information on the SaaS tool purchased, what it's used for, the type of license and cost, and the method of payment.
3 - Reconcile the data. Use the information gathered in the survey and map it back to your own list of known SaaS vendors / SaaS licenses. Pay special attention to redundancies where you might be able to consolidate contracts for volume discounts.
4 - Make the approval process easier. Make SaaS purchases part of an existing ticketing system or workflow to prevent future unapproved purchases.
If you’re concerned about security and compliance risks related to shadow IT, give us a call. Meta SaaS can help you start your discovery to reduce that risk.