Preparing the Board for cyber regulations and cyber ranges

Preparing the Board for cyber regulations and cyber ranges

Cyber ranges provide evidence which can be presented to regulation Boards and shareholders, proving that an organisation’s systems are combat-ready says James Gerber at SimSpace.

In March 2022, the Security Exchanges Commission, SEC issued a proposed regulation titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Within it, the SEC describes the need to enhance the standardisation of disclosure regarding cybersecurity risk management and reporting. This follows the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CIRCIA signed into law last March that asks companies to voluntarily disclose their cyber breaches.

With the new proposed regulation, the SEC is suggesting that organisations should be mandated to periodically disclose the policies and procedures they have in place to identify and manage cyber risk. This would include the management’s role in implementing cybersecurity best practice as well as their board members’ cybersecurity expertise. The proposed legislation would also require companies to provide updates about previously reported cybersecurity incidents.

James Gerber, Chief Financial Officer at SimSpace

Why disclosures?

The regulation intends to better inform investors about a registrant’s risk management strategies and the governance they have in place to ensure their systems are ready to face a cyberattack. However, this proposed legislation has resulted in outcry and demands for withdrawal from Fortune 100 companies who fear the regulation will incur adverse consequences on shareholder price and stakeholder demand.

Catalysed by the Russian war in Ukraine, threat actors continue to attack national critical infrastructure and governmental organisations around the world. However, these tactics, techniques and procedures, TTPs are now being launched at businesses and organisations as cybercriminals are becoming increasingly focused on extorting and exfiltrating sensitive data from highly lucrative businesses. The IBM Cost of a Data Breach Report 2022 revealed that, reaching an all-time high, the overall cost of a data breach averaged $4.35 million in 2022.

Regulatory bodies have now recognised the importance of cybersecurity legislation for companies as organisations continue to fall victim to cyber hacks. The goal of ensuring Boards are doing everything in their power to protect sensitive customer and investor data will now make organisations held directly accountable for their cybersecurity defence plans and tools.

Enhanced legislation

As complete cybersecurity disclosure will likely become mandatory for businesses, they would be well placed to act now to avoid data leaks and legal reprimands. Outside of the proposed SEC regulation, the Biden Administration is also getting much more aggressive. A 35-page document, titled National Cybersecurity Strategy is expected to be legislated.

This will impose mandatory regulations on a wide swathe of American industries. The bill will also authorise US defence, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments. Governments and regulatory bodies are awakening to the threat posed by hostile nation state actors. Businesses must ensure a return on cybersecurity investment, especially in an uncertain economic environment.

Organisations have to ensure that their cyber security platforms are running effectively as well as being cost-efficient. This is essential for best practice cybersecurity disclosure as well as customer confidence and investor reassurance. One way in which organisations can prepare for this new wave of mandatory regulation is to test their defensive capabilities within a safe, simulated environment, such as a cyber range.

Cyber ranges

A cyber range is a high fidelity, scaled replica of an organisation’s production environment complete with accurate terrain and actual, primary defence tools. Cyberattacks can then be launched against this model, identifying weak points through which threat actors can enter. This system can also quantifiably measure the success of an organisation’s individual defensive tools. The applications which are not providing quantifiable intelligence can be offloaded, saving the company money which can be invested elsewhere.

Although a range realistically simulates user and active traffic within which real attacks and defence can occur, testing to this extent within a replication of a network rather than the real system means that the company does not have to sacrifice its uptime or risk major damage on their systems.

A cyber range is flexible enough to rapidly build to great detail a production network as well as examine overall performance with a different set of tools. An organisation’s whole stack performance can be scored against the latest attack threats. In this way, businesses can safeguard the data held within their networks through the constant testing of their people, processes, and technology.

Best practices

Businesses should be determining the preparedness of their organisation against known threats by using cyber ranges in accordance with best practice guidelines:

  • Performing exercises aimed at reviewing your current breach and disclosure process to understand the gaps within an organisation’s defence systems.
  • Conducting live-fire exercises on a cyber range can establish new success benchmarks and identify weaknesses within your people, processes, and technology.
  • From this, a dashboard can be established to track performance in accordance with the new SEC standards.
  • Based on the results of the range exercise, organisations then need to start a program of continuous security improvements that would include updating their processes, training their teams, and optimising their security stack.
  • Businesses need to develop a regular cadence of communications across their leadership teams to provide security and risk reviews for all new business initiatives and third-party programs, ensuring an end-to-end security mindset.

Organisations that are investing in mil-spec cyber defence strategies like cyber ranges can dramatically increase their ability to defend against a hack, while maintaining a cyber cost reduction.

This means they will be able to accurately and confidently report to regulators on their cyber shielding practices, instilling confidence and trust in their customers and investors.

Cyber ranges provide evidence which can be presented to regulation Boards and shareholders, proving that an organisation’s systems are combat-ready to tackle the latest cyber threats.

Browse our latest issue

Intelligent Tech Channels

View Magazine Archive