The SEC’s new incident reporting requirements have brought about many questions and concerns among security professionals and government bodies.

One argument is that the requirements are duplicative of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will create more work for already resource-constrained cybersecurity teams.

Another is that a four-day disclosure window is not only too early to determine the impact, but that disclosing sensitive breach information publicly on the heels of a breach could attract bad actors to exploit the vulnerability before it’s fixed.

Opinions and speculation aside, the challenges are real.

• Data today flows across many companies, systems and subsidiaries, making the task of distinguishing between the victims versus the perpetrators incredibly difficult.
• Determining what “may be material to investors” is not always obvious, and will require quite a bit of administrative work to figure out.
• Establishing communication with business-level executives and the board will become even more critical, requiring further education and training.

This is a herculean task for a large company with a CISO and a full SOC team; now imagine what it will be like for smaller companies with fewer resources.

On June 15, smaller reporting companies will now be required to comply just like a large organization. These stringent requirements could inadvertently cripple companies with penalties, stifling innovation and hindering their growth.

Will startups buckle under the pressure? That remains to be seen. But one thing is certain: If CISOs are struggling, smaller companies are due for some pain.

As a small organization, here are a few steps you can take to mitigate impact.

Step 1: Get Smart on Top Security Frameworks

Before all else, become familiar with all the major frameworks. Luckily, there are ample resources that can help an organization prepare.

• EU Network and Information Security Directive v2 (NIS2): a directive aimed at achieving a high common level of cybersecurity across the European Union. It updates the original NIS directive to address evolving threats and improve the security of network and information systems. NIS2 provides guidelines for ensuring the security and resilience of critical infrastructure, which is essential for organizations operating in the EU.
• NIST Cybersecurity Framework (CSF): a set of guidelines and best practices to help organizations manage and reduce cybersecurity risk. Widely used in the United States and internationally, it helps organizations align and prioritize their cybersecurity activities based on business needs, and provides a common language for managing risk.
• NIST Risk Management Framework (SP 800-53): This framework provides a process for organizations to manage security and privacy risks, offering a catalog of security and privacy controls for federal information systems and organizations. It helps organizations implement a risk-based approach to security, ensuring that controls are tailored to specific needs and risks.
• NIST Guidelines for Protecting Sensitive Information (SP 800-171): This guideline provides requirements for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It helps organizations comply with federal regulations regarding the protection of sensitive information, reducing the risk of unauthorized access and disclosure.
• ISO/IEC 27000: ISO/IEC 27000: a family of standards for information security management systems (ISMS), including ISO/IEC 27001, which specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It provides a comprehensive framework for managing information security risks, ensuring that information assets are secure.
• Center for Internet Security (CIS) Critical Security Controls (CSC): The CIS CSC is a set of best practices for securing IT systems and data, including a prioritized set of actions to protect organizations and data from known cyber attack vectors. It helps organizations prioritize their security efforts by focusing on high-impact areas, thereby improving their overall security posture.

There are also a number of global data privacy regulations frameworks like General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Germany’s Bundesdatenschutzgesetz (BDSG) and South Africa’s Protection of Personal Information (POPI) Act. These are designed to protect personal data by managing how personally identifiable information (PII) is obtained, processed and stored.

Step 2: Build a Security Team

Building a robust security program from scratch can be daunting, especially for smaller companies with limited resources. But with strategic planning and the right approach, it is possible to establish a solid security foundation with minimal resources. Here are some quick-and-dirty steps to bootstrap a security program:

• Cobble together a small SOC team. Hire a senior security leader, an infrastructure security engineer, an application security engineer and a compliance professional. These roles require experienced professionals who can create a security roadmap, prioritize tasks based on risk and implement scalable processes. These team members should also have the capability to execute crucial elements of the security roadmap themselves.
• Get closer with engineering. If you weren’t already in very close alignment with your development team, start now. Engineers familiar with the product can identify security gaps and improvement opportunities. This is vital for integrating secure practices throughout the software development lifecycle, addressing penetration test findings and adding customer-facing security features. Although resource constraints at startups make this challenging, demonstrating how early security interventions save time can help gain the necessary commitment.
• Automate, automate, automate. This may sound obvious, but look for simple ways where automation can streamline security processes — from infrastructure monitoring and auto-remediation to code analysis and vulnerability management. By automating, startups can integrate security seamlessly into every process, which not only improves security but also conserves engineering time.
• Try Open Source. While open source security tools eliminate license fees, they require time for implementation and configuration. For startups with small teams, choosing tools that vendors can deploy and manage might be more beneficial, ensuring that security enhancements are both practical and cost-effective.
• Cover risk and vulnerability management basics in. Most breaches are related to known vulnerabilities and human error. Ensuring good attack surface visibility, scanning all assets, and meeting reasonable SLAs for critical security gaps are extremely important and where most of the risk lies.

While there is no silver bullet, these provide a starting point for smaller companies to navigate the new incident reporting rules. Even though the new requirements create pressure, they serve as a forcing function for the inevitable: Building a strong security foundation.