Data governance has often been met with furrowed brows among CIOs — sometimes seen as the broccoli of the IT dinner plate: undoubtedly good for you, but not always eagerly consumed. CIOs often bore the brunt from organizations that were forced to do top-down data governance.
With this said, defensive data governance has been a staple for organizations entrenched in regulatory mazes, where compliance is non-negotiable and GDPR exposure looms large. This form of governance acts as both shield and strategist — protecting sensitive data from breaches and misuse while navigating the complex legalities of data privacy laws. For industries ranging from healthcare to finance, it’s less of a choice and more of an operational prerequisite, ensuring that they’re not only protecting their client’s data, but also safeguarding their reputation and financial standing from the ramifications of non-compliance.
However, a recent revelation stemming from a conversation with a CIO brought to light an SEC ruling on cybersecurity materiality and management that alters the game quite radically for every company. At the same time, it knits together the realms of security and data governance, this mandate elevates data governance from the basements of IT to the high-table discussions of the boardroom, transforming it into a critical metric for board reporting. This shift is not just a cultural change, but a strategic imperative that underscores the inextricable link between robust governance and enterprise security.
Digging into the SEC Ruling
The SEC’s ruling on cybersecurity is a clarion call to public companies, signaling the heightened risk cyber threats pose to the stability of the market and investor trust. In an era marked by profound digital transformation — where remote work is commonplace, cybercriminals are profiting from attacks, digital transactions are the norm, and dependency on third-party IT services, including cloud technologies, is on the rise — the SEC has observed a corresponding spike in both the frequency and costs of cyber incidents. These evolving risks, the SEC has ruled, necessitate stronger disclosure practices.
The SEC requires a Form 8-K to be filled by registrants within four business days of determination for “material cybersecurity incidents,” providing detailed accounts of the characteristics, timing, and significant consequences, especially concerning financial health and operational results. Companies must swiftly evaluate incident materiality and report io this determination. Moreover, the introduction of SEC requires an S-K where registrants disclose their cybersecurity risk assessment and management processes, how such risks have impacted or might impact them materially and outline the board of directors’ and management’s involvement in overseeing and mitigating these cybersecurity threats. This regulatory push for transparency underscores the critical intersection of cybersecurity and data governance.
Why Data Governance Is Now on the Board’s Agenda
In the current landscape, where the detection and impact of data breaches can go undetermined for months, data governance should ascend to the forefront of boardroom agendas, especially with audit committees. The urgency stems from the need to swiftly discern the scope of data compromised during a cybersecurity incident. The critical questions at play involve materiality and demonstrable due diligence in protecting data.
Here, CIOs need to grapple with the challenge of not only deploying SIEM (Security Information and Event Management) tools for real-time alerts, but also mapping out the data residing within exposed systems. It’s no longer sufficient to detect a breach; companies must pinpoint which specific data, particularly sensitive and personally identifiable information (PII), that was accessed through the breach and evaluate the materiality of affected data so as to avoid legal repercussions.
The problem is with the expansion of data across various cloud service platforms (CSPs), companies are finding it impossible to quickly locate and manage dispersed or dormant data stores. Approaches to addressing this problem have been labeled by analyst firms, data security posture management (DSPM). As a goal, these aim to detect uncategorized data, both structured and unstructured, and assess it for security and privacy risks as it traverses through various channels and regions.
The goal of these approaches is to uncover unknown data repositories and assess them for exposure to data residency, privacy, and security risks. For many, the first step is to establish data security governance policies, laying out a comprehensive data security posture for each dataset. Companies should next conduct a risk analysis, specifically on their ability to uncover hidden data repositories and use data lineage to trace sensitive data’s geographic locations and potential exposure risks.
In the above process, organizations should then prioritize datasets that present the highest risk — this includes creating data maps across CSP platforms, analyzing data flows and pipelines for risks, such as improper data access or missing security controls. This mapping process is crucial and can often be achieved using cloud privileges without relying on technology agents or integration with other security products.
The SEC’s four-day reporting requirement for material cybersecurity incidents has made sensitive data discovery an imperative process. The documented processes for controlling sensitive data, mandated by the new SEC regulations, alongside the complexities introduced by cloud computing, underscore the need for comprehensive data security posture management as a means of proactive risk management in the digital age. At the very same time, the global cyber insurance market is on track to reach a colossal $90.6 billion by 2033, reflecting not just the increasing peril, but also the expanding scope of coverage — from business interruptions to regulatory fines.
Parting Words
The digital estate, with its sprawling data across cloud platforms and geographic borders, mandates a robust strategy for data governance, now a critical boardroom issue underscored by the SEC’s four-day disclosure rule for cybersecurity incidents. CIOs must pivot to data security posture management (DSPM) solutions that offer a panoramic view of data, assessing risks and materiality through automated discovery and classification. This approach is not just about compliance; it’s a strategic necessity to protect sensitive data and stave off the legal and financial aftershocks of data breaches, ensuring that companies can swiftly pinpoint, report, and address vulnerabilities within their digital infrastructure.
