Wall and ceiling contractors will want to take a close look at the state of their cybersecurity in 2024, now that tough, new “best practices” rules from the Security and Exchange Commission have gone live.
Designed for public companies, the SEC crackdown on cybersecurity also has teeth for many private companies that either already do business with public companies—or are looking to do business with those companies.
The reason: The computer networks of private companies—including those of wall and ceiling contractors—are often closely linked with those of their public company customers, according to Agnishwar Banerjee, product marketing manager, MetricStream, an IT advisory firm specializing in cyber risk management and compliance.
That’s a big problem, given that hackers are well aware that if they can penetrate the loosely guarded computer network of a smaller, private company, they can often use that vulnerability to break into the computer system of a much larger, publicly traded partner, according to Banerjee.
One of the major impacts businesses will see with the new SEC rules is that the cybersecurity plans of any public company—including their security arrangements with private wall and ceiling contractors—are now public.
That means anyone interested in closely scrutinizing the cybersecurity plan of any public company—including investors, an everyday citizen or an extremely curious journalist—can now pore over that company’s official report to the SEC to their heart’s content.
Says Gary Gensler, chair of the SEC: “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.
“Currently, many public companies provide cybersecurity disclosure to investors.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.”
Hacks Must Be Reported
Besides forced public disclosure, another new SEC requirement that will probably smart especially keenly for most businesses is a directive that forces them to report a known hack of their systems to the SEC within four days.
That’s a far cry from the way many businesses reported hacks previously: Often, victimized firms have been known to wait months before reporting a cyber-intrusion.
Still others try to skirt reporting an incident altogether—hoping to avert bad press and liability.
Meanwhile, other new SEC rules associated with the crackdown are designed to force companies to go into in-depth, written detail about their cybersecurity infrastructure.
Again, technically speaking, such reporting will be required only of publicly traded companies.
But you can bet scores of computer security information officers at publicly traded companies will have nice, long talks during 2024 with many of their counterparts over at wall and ceiling contracting firms regarding the strength of cybersecurity at those private firms.
Who could blame them? Chief information security officers’ jobs are at extreme risk when it comes to the cybersecurity arrangements they make with private partners like specialty contractors.
Details of Defense
Meanwhile, as far as the specifics in writing the SEC is mandating with its new rules: The agency now requires publicly traded companies to describe in detail the kinds of defenses they have developed to combat hackers—including the kind of protections they developed with third-party companies.
And the SEC has also decided to put corporate boards on the hook as well, requiring companies to describe in writing the oversight role the corporate board is playing in defending against hackers.
Company management, too, is of course high on the radar with the new, in-writing requirements.
And the SEC also wants to know—in writing—if the company is working with assessors, consultants or auditors when it comes to cybersecurity planning.
Finally the SEC wants to see—also in writing—how companies have woven their hacker defense systems into their overall risk management system.
Fortify Your Barricades
Not surprisingly, business reaction to the new SEC rules—has been swift and decisive.
An October Deloitte & Touche poll (https://tinyurl.com/4vx97cen), for example, found that 65% of public company executives have already made plans to toughen their defenses against hackers.
Plus, more than half of executives surveyed vowed they would push third-party partners—including private companies—to beef up their cyber-defenses as well.
Says Daniel Soo, a principal at Deloitte & Touche: “Whether organizations are publicly traded—or do business with public companies—clear communication from top leadership about cyber-risk management expectations can help mitigate security risks within organizations themselves.
“Increasingly, more executives understand cybersecurity is not just a chief information security officer’s responsibility—but a multifaceted business risk that demands many groups work together.”
Have a Plan—A Good One
New regs aside, as most wall and ceiling contractors with cybersecurity defenses already know, a good cybersecurity plan also just makes good business sense.
That’s especially true given the never-ending cat-and-mouse game hackers insist on playing with businesses, year after year.
A new survey from CompTIA (https://tinyurl.com/37rsbs8w)—a training and certification organization for the computing industry—for example, finds that businesses, public and private, are still plagued by many of the usual suspects when it comes to cyber harassment.
In particular, malware remains a top concern at these organizations, with 40% of survey respondents identifying the malware scourge as a core focus of their defenses.
Another 33% pointed to ransomware attacks as critical, followed in priority by the hacking of firmware (31%), Internet-of-Things attacks (31%) and attacks on computer hardware (31%).
And of course our old friend, phishing (30%)—through which hackers attempt to penetrate business computer networks using stolen passwords, IDs, malicious links and similar threats—was also high on respondents’ hit lists, with 30% of respondents saying it’s a top priority.
Says Seth Robinson, vice president of industry research at CompTIA: “Businesses have begun to consider cybersecurity as a critical function.
“Excessive cybersecurity measures can hinder overall progress. But if measures are too relaxed, it can lead to serious incidents, resulting in potentially greater negative impacts.
“This balancing act is a full-time job. With technology trends evolving and attack patterns changing, true equilibrium may be impossible to achieve.”
Adds Matt Gorham, a cyber and privacy innovation leader at PriceWaterhouse-Coopers: “Surprisingly, there are still many companies that struggle with the basics. There is no shame and no consequence in revisiting the fundamentals of your cybersecurity risk management program.”
Where to Go for Help
Fortunately for wall and ceiling contractors, a number of highly respected cybersecurity think tanks and organizations have come out with detailed studies and advisories on how to handle the cyber-security threat landscape in 2024.
Together, these reports should also help a contracting business be a step quicker when it comes to outfoxing ever-persistent cyber criminals.
Here’s where to scoop-up a representative sampling of these reports for free:
• Google Cloud Cybersecurity Forecast 2024: https://tinyurl.com/ynujpsmm
• Comptia State of Cybersecurity 2024: https://tinyurl.com/37rsbs8w
• PWC Global Digital Trust Insights 2024: https://tinyurl.com/n8tp2bwt
• A Year in Review: A Look at 2023’s Cyber Trends and What’s to Come: https://tinyurl.com/w8jyymbm.
Joe Dysart is an internet speaker and business consultant based in Manhattan. Voice: (631) 233-9770; joe@breakingintech.com; www.dysartnewsfeatures.com.
