Ransomware Resilience: Protecting Businesses and Ensuring SEC Compliance

Posted on by Doug Barbin

As businesses across industries continue to digitalize their day-to-day operations, they’re faced with the continued threat of a ransomware attack. According to Malwarebytes  2024 ThreatDown State of Malware report, ransomware attacks increased in 2023 by 63% compared to 2022, underscoring this escalating threat to businesses worldwide.

Ransomware attacks have wide ranging impacts on businesses, from the obvious financial losses to the not-so obvious loss of stakeholder trust or reputational damage. In response to this growing threat, the Securities and Exchange Commission (SEC), adopted rules requiring affected organizations falling under the SEC, to report material incidents they experience and to disclose cybersecurity risk management, strategy, and governance information on an annual basis.

Organizations must be aware of how an attack could disrupt their business operations, stay up to date on best practices for mitigating these attacks, and in the event, they are attacked, be prepared to efficiently report the issue to the SEC.

Organizational impact of a ransomware attack

In order to be adequately prepared for a ransomware attack, businesses must understand the potential implications that they bring. That means more than just the large ransom that attackers expect them to pay for decryption keys. It also includes payment for recovery efforts and legal fees, even if the organization does not pay the ransom. Ransomware can also put a stop to business operations, leading to downtime, lost productivity, and potentially missed business opportunities, all of which ultimately impact the bottom line. In some cases, ransomware attackers will threaten to leak or destroy sensitive information. Losing that valuable data will have a negative impact on the enterprise’s reputation, regulatory compliance, and customer trust. And, whether data is leaked or not, a publicized ransomware attack can taint the organization’s brand identity, as customers can lose confidence in the company’s ability to protect their data, leading to longer term financial damage due to customer loss.

To appropriately handle a ransomware attack, organizations need to devote a significant amount of resources, including IT experts and legal counsel, which means diverting them from growth initiatives and day-today operations, hindering the business's overall development. Further, the company should also look to invest in stronger cybersecurity measures and develop new cybersecurity strategies after an attack in order to prevent future incidents.

Best practices for mitigating attacks

 A strong ransomware defense program requires a multifaced approach that involves every person within the organization, provides clear understanding of the nature of a company’s data and where it resides, prioritizes patch management, has necessary access controls implemented, and prioritize regulatory compliance.

Beyond organizational strategies, it’s also key to invest in technical strategies and processes that can help enterprises shield themselves from ransomware attacks:

  • Employee Training: Continuously educate employees about the latest threats and how to recognize and report potential security risks, including phishing the most common entry-point for external ransomware attacks.

  • Incident Response Plans: Develop and regularly update an incident response plan, ensuring everyone in the organization knows their role in case of an attack.

  • Regular Updates and Patch Management: Stay current with software updates and security patches to plug known vulnerabilities.

  • Regular Data Backups: Firms must routinely backup all critical data and ensure that backups are stored securely, “offline,” or in separate cloud environments with robust access controls and encryption.

  • Strong Password Policies: Implement and enforce strong, unique passwords and implement multi-factor authentication (MFA) wherever possible.

  • Penetration Testing and Red-Teaming: Regularly assess cybersecurity posture through penetration testing and red-teaming not only to identify vulnerabilities but test the organization’s ability to detect and respond.

  • Vendor Risk Assessments: Evaluate the security practices of third-party vendors that have access to your systems or data.

Having these programs and strategies in place will not only create an immunity to cyberattacks but will put the impacted organization on a fast track to recovery, minimize operational downtime and financial loss, and start them on the road to report the attack to the SEC in compliance with its breach disclosure rules.

Efficiently reporting attacks with the SEC’s breach disclosure rules

The SEC rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure demands that companies provide investors with timely, accurate, and "decision-useful" information about their cyber risk management, strategy, and governance processes.

This includes a requirement for organizations to file two forms to the SEC:

  • Form 8-K: A mandatory filing item demanding a report of material cybersecurity incidents within four business days.

  • Form 10-K: An annual filing in which companies must provide detailed descriptions of their cybersecurity programs.

For companies to remain in compliance with these regulations, security and IT leaders must understand each organizational department’s role in compliance to ensure seamless coordination during a cybersecurity incident, like a ransomware attack.  

Organizations must be prepared to provide information on its process for reporting cybersecurity incidents, how it determines materiality, the appropriate level of information to disclose in the filings, and its process for reporting material incidents within the SEC’s mandated four-day reporting period. Organizations should regularly conduct internal tests and assessments to gauge their preparedness for reporting to the SEC to ensure they can be as efficient and accurate as possible.

In the first part of 2024, we have already seen organizations filing 8-K reports for potentially material incidents. We’ve seen instances where there were additional public notifications as well as filings with little to no detail around what occurred and statements that the investigations are still underway. The ongoing compliance with this requirement and what we see in the marketplace will continue to evolve.

For the 10-K, CEOs and CFOs must take responsibility for the completeness and accuracy of the disclosed cyber risk management program, while the board is responsible for overseeing cybersecurity risk and identifying committees responsible for effective oversight. We are now just starting to see companies describe these programs within their 10-K, with many pointing to industry frameworks like the NIST CSF and ISO 27001 as baselines for their programs. 

With businesses across the globe consistently plagued by increasing ransomware attacks, robust cybersecurity measures and efficient reporting strategies are imperative. Attacks have wide ranging impacts across the business that range from financial loss to deterioration of stakeholder trust to operational down time and more. By implementing a multifaceted, proactive cybersecurity and regulatory compliance program, businesses can fortify their defenses against ransomware threats while also being prepared for SEC breach disclosure reporting in the event of an attack.

Doug Barbin

President & National Managing Principal, Schellman

Risk Management & Governance

ransomware hackers & threats malware compliance management risk & vulnerability assessment incident response audit persistence Pen Testing / Breach Simulation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs