The Securities and Exchange Commission's (SEC) latest set of rules on cybersecurity reporting for publicly traded organisation can be understood in two ways. One, as another generic regulatory formality piling on the companies, or second, as an important move towards strengthening cybersecurity in the board. 

In the smaller picture, it is likely to be both. But in the bigger picture, the benefits will outweigh the limitations. The SEC's primary attention on cybersecurity metrics can mix with other financial reporting needs to compel companies toward a more comprehensive security framework that includes asset intelligence and prioritises material risk. 

The new protocol is likely to push organizations to start focusing on asset intelligence on evidence-based security data, and not just merely storing inventory of devices and apps, helping them toward a consistent monitoring and improvement program. 

The rules will also support companies to involve entire organizations in cybersecurity, security, promoting IT confluence, compliance and legal in all the ways that will support every party involved. 

The scope for an integrated approach to cybersecurity built on evidence-based data highlights various organisations' need for stronger intelligence. The recent cyber attack on Clorox tells us why. Clorox was among the first large organizations to be compromised when the SEC's new rules came into play, asking the company to report the cyber attack through the SEC's Form 8-k within 4 days.

Clorox did comply, however, it had limited information on the impact of the attacks, so it had to file another form 8-k filing. But even so, Clorox didn't disclose the complete financial damage of the attack. 

Certain cybersecurity experts anticipate that Clorox's response will be common for other businesses due to the challenge of rapidly assessing the impact of an attack. However, incomplete reports may mislead investors.

A thorough understanding of an asset's life cycle, security measures, management style, data usage patterns, and potential end-of-life situations can all contribute to a more accurate assessment of the attack's impact. 

By promoting the use of measurements and statistics based on empirical evidence to evaluate material risk, the new regulations may also encourage businesses to improve their asset intelligence.

Businesses gather a great deal of security metrics, some of which may not be very valuable. While it may seem commendable to have stopped 9,000 malware attacks in a month, what would happen if there had been 9,008 attempts? 

By concentrating on operational controls and material concerns, comprehensive asset intelligence can assist organisations in focusing on more serious issues. 

An endpoint without a security agent or an outdated, unpatched system, for instance, can be just as hazardous as a network-based vulnerability found on the common vulnerabilities and exposures (CVEs) list. Inventorying all of your users, apps, and devices is not sufficient; you also need to know if the security rules are active and in place.

The guidelines also encourage organisations to involve the legal and compliance departments, as well as the leadership team, in understanding the role that governance plays in better managing security through their reporting obligations.

Furthermore, and this is crucial, they encourage public firms to follow the industry trend of proactive and continuous assessment, which entails not just identifying security weaknesses but also continuously addressing them.

Following its adoption in July and formal implementation on September 5, the SEC's new regulations are still being adapted to by publicly traded corporations. Businesses are required to file yearly reports starting in December and to report "material" cybersecurity incidents within four days, detailing the occurrence and its consequences.

Companies who lack full visibility into their assets, including the condition of security controls on devices and apps across the organisation, may find it difficult to comply with these regulations. They can, however, start to integrate security and compliance with asset intelligence—that is, evidence-based data centred on material risks—and work towards a continuous monitoring and improvement programme that more effectively secures the organisation.