SEC

The healthcare industry, with its vast repositories of sensitive patient data, has always been an attractive target for cybercriminals. Recent incidents have underscored the urgent need for robust cybersecurity measures in this sector.

Rhysida Ransomware’s Impact on Healthcare
The Rhysida ransomware operation has been particularly aggressive in its targeting of healthcare organizations. The U.S. Department of Health and Human Services (HHS) and various cybersecurity firms have released detailed reports on Rhysida’s modus operandi. This group’s audacity is evident in its willingness to compromise critical healthcare infrastructure, jeopardizing patient data and potentially delaying essential medical services. Such attacks not only disrupt operations but can also erode trust between patients and healthcare providers.

Missouri’s Medicaid Data Breach
Missouri’s recent data breach serves as a stark reminder of the vulnerabilities inherent in the healthcare sector. The breach, a result of an attack on IBM’s MOVEit system by the notorious Clop ransomware gang, exposed protected Medicaid healthcare information. This breach affected a vast number of individuals, with data ranging from personal identification details to medical histories. Such incidents underscore the importance of securing third-party systems and ensuring that vendors adhere to stringent cybersecurity standards.

Nationwide Cyberattack
A recent cyberattack had a cascading effect on hospitals and clinics across several states. The attack, targeting facilities run by Prospect Medical Holdings, disrupted computer systems, leading to the temporary shutdown of emergency rooms and the diversion of ambulances. Such widespread attacks can have dire consequences, especially in life-threatening situations where every second counts. The incident also highlights the interconnected nature of healthcare systems and the need for a unified response to cyber threats.

nGuard: Your Partner in Cybersecurity
In the face of these escalating threats, organizations must be proactive in their approach to cybersecurity. nGuard is here to assist:

• HIPAA Strategic Security Assessments: Our in-depth assessments pinpoint gaps in HIPAA compliance, ensuring that your organization remains aligned with regulations.
• Penetration Testing: With a suite of testing options, we identify potential vulnerabilities, enabling you to fortify your defenses against cyber threats.
• Vulnerability Management: Our regular scans ensure that your systems remain impervious to the ever-evolving landscape of cyber threats.
• Incident Response: Should the worst happen, our rapid response team is on hand to mitigate damage and guide your organization back to normalcy.

In an era where data breaches can have tangible real-world consequences, partnering with nGuard ensures that your organization remains both secure and compliant.

The U.S. Securities and Exchange Commission (SEC) has taken a step towards increasing transparency and investor protection by announcing new rules that requires public companies to disclose cybersecurity incidents within 4 days. The regulations aim to address the rising threat landscape, including the increase in cyberattacks and data breaches resulting from the digitalization of operations. This security advisory explores the background of the new rules, what they entail, and how organizations can prepare for compliance while bolstering their cybersecurity defenses through preventative measures.

The new SEC cybersecurity incident disclosure rules come at a critical time when the impact of cyberattacks is becoming increasingly evident. One of the notable cases that underscored the severity of such incidents is the MOVEit breaches. The breaches, perpetrated by Russian cybercriminals, targeted a widely used file transfer program, impacting hundreds of organizations, including major government agencies, universities, and prominent corporations.

Background of the New SEC Cyber Disclosure Rules:

In March 2022, the SEC proposed new rules to standardize and enhance disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents for publicly traded companies. Cybersecurity threats have become an escalating risk for businesses, investors, and market participants due to the rapid evolution of technology and the monetization of cyber incidents by criminals. The new rules aim to provide consistent, comparable, and decision-useful disclosures to enable investors to assess the potential impact of cybersecurity risks on companies.

Requirements of the New Rules:

The newly adopted rules introduce a brand-new Form 8-K Item 1.05, obliging companies to disclose any cybersecurity incident deemed “material” for shareholders. The disclosure must include a description of the nature, scope, and timing of the incident. It should also include its material impact, or reasonably likely material impact, on the company’s financial condition and results of operations. To clarify, the clock for the four-day disclosure window only starts ticking after the company determines the materiality of the incident.

Additionally, companies will be required to comply with a new Regulation S-K Item 106, which necessitates the description of their processes for assessing, identifying, and managing material risks from cybersecurity threats. The rule also mandates the disclosure of the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling such threats.

Timelines and Important Dates:

After adopting the release of the final rules in the Federal Register, they will take effect after 30 days. Starting from December 15, 2023, all registrants must include the specified disclosures in their annual reports for fiscal years ending on or after this date. Regarding the incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants, except smaller reporting companies, must comply within 90 days after the Federal Register publication date or by December 18, 2023, whichever is later. However, smaller reporting companies have an additional 180 days, and their compliance must begin 270 days from the effective date of the rules or June 15, 2024. For structured data requirements, all registrants should tag the necessary disclosures under the final rules in Inline XBRL starting one year after they have initially complied with the related disclosure requirement.

Preparation for Compliance and Preventative Measures:

Preparing for compliance with the new SEC rules will be a challenge for organizations, but there are essential steps that can be taken to prepare for the new requirements and reduce the risk of a breach:

• Establish a Methodology for Determining Materiality: Organizations need to develop a robust methodology for assessing and determining the materiality of cybersecurity incidents. This methodology should consider the potential impact on the company’s operations, financial condition, and investor decisions.
  
• Implement a process and template for creating 8-Ks: Include templates for various types of breaches and attacks to ensure your organization meets the deadline to report them.
  
• Employ Managed SIEM for Logging and Alerting: A Managed Security Information and Event Management (SIEM) solution can help organizations monitor and analyze security events, enabling faster detection and response to potential threats.
  
• Implement Multi-Factor Authentication (MFA) and Strong Password Policies: Enforcing MFA and strong password policies adds an extra layer of security to protect against unauthorized access to sensitive data and systems.
  
• Implement Incident Response Plans: Having a well-documented and tested incident response plan is crucial to responding promptly and effectively to cyber incidents. This plan should outline the necessary steps to investigate, contain, and mitigate the effects of a breach.
  
• Conduct Annual Internal and External Penetration Testing: Regular penetration testing helps identify vulnerabilities in the company’s systems and applications, allowing for proactive remediation before attackers can exploit them.
  
• Conduct Ongoing Vulnerability Scanning: Continuous vulnerability scanning is essential to detect and address potential weaknesses in real-time, reducing the risk of successful attacks.

The SEC’s new cybersecurity incident disclosure rules represent a critical step in promoting transparency and accountability among publicly traded companies. By complying with these rules, organizations can better inform investors about the material impact of cybersecurity risks and incidents, thereby enhancing investor confidence. To prepare for compliance and mitigate cyber risks, companies should focus on establishing methodologies for determining materiality, implementing robust incident response plans, and conducting regular penetration testing and vulnerability scanning. Employing managed SIEM services can further bolster their cyber defenses and ensure timely detection of potential threats. Ultimately, the combination of compliance and preventative measures will help fortify businesses against the ever-evolving cyber threat landscape.