In a ruling this summer, the U.S. Securities and Exchange Commission (SEC) voted to adopt final rules on cybersecurity disclosure.
In a 3-to-2 vote, the SEC adopted rules that requires disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy and governance in annual reports. Among the rules, the ruling requires reporting material cybersecurity incidents to the SEC within four days of determining the incident is material. Effective December 15, companies will need to disclose on their risk management, strategy and governance procedures, and material cyber incidents by December 18.
Security leaders weigh in
With those dates fast approaching, security leaders are sharing their thoughts on the ruling and its effect on the industry.
John Pirc, Vice President at Netenrich:
The new SEC cybersecurity disclosure rules represent a significant advancement in corporate transparency and investor protection. By mandating timely disclosure of material cybersecurity incidents and the requirement for detailed annual reporting on risk management strategies, these rules bring much-needed clarity and standardization to how public companies report cybersecurity issues.
This move is particularly commendable as it aligns with the growing importance of digital security in today’s interconnected business landscape. However, while the rules offer flexibility in the timing of disclosures, the four-day window for reporting material incidents may pose challenges for companies in accurately assessing and disclosing complex cybersecurity events.
Additionally, the rules’ emphasis on both internal and third-party cybersecurity incidents underscores the increasing complexity of managing digital risk in a cloud-centric world. Overall, these regulations are a positive step towards greater corporate accountability and enhanced investor confidence in the face of escalating cyber threats.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea:
With the implementation of the new SEC cybersecurity disclosure rules, organizations must further invest and improve their incident response plan and process to meet the new SEC rules, such as identifying cybersecurity incidents that have a material impact to the business and also report those incidents within four business days of discovery. Incident response tends to focus on identifying the impact of a cybersecurity incident and getting the business back to operations. However, the incident response team must now also identity the business risks and material impact to determine if they need to report and disclose the incident. The new rules are focused on ensuring that incident reporting is more consistent and safeguard that investors have transparency into cybersecurity incidents. In the past, the average dwell time for an incident was more than 200 days. These new rules will have a significant impact on how organizations report incidents going forward and will likely see large investments into an organizations risk assessment and incident response strategy.
Michael Mumcuoglu, CEO and Co-Founder at CardinalOps:
One of the key changes with the SEC rule that is different from the previous guidance in 2018 is that, in 10-K reports, organizations will now be required to describe their processes for "assessing, identifying and managing material risks from cybersecurity threats” as well as to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” This puts a greater emphasis on the necessity for companies to assess and validate their existing security controls and to have increased visibility into their overall ability to effectively detect potential threats. We've seen growing interest in this area for a while now, so much so that Gartner research has introduced a new category, automated security control assessment (ASCA), that covers solutions that improve an organization's security posture by verifying the proper, consistent configuration of security controls in order to better manage and reduce risk.
Nakul Goenka, Risk Officer at ColorTokens:
The SEC has approved new cybersecurity rules, which is a significant step in the right direction. These breach disclosure rules will help give CISOs a seat at the table. Companies should start preparing and thinking about their policies, procedures, organizational structure and tool sets immediately.
While the rules do offer flexibility to determine what is considered a “material” incident and hence reportable, we might also see some litigation based on decisions taken by the management teams. It will be interesting to see how these rules are actually implemented and whether the benefits will outweigh the costs and burden.
Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems:
The SEC Cyber Disclosure Rule transforms transparency into cybersecurity risk management and incidents from good practice to regulatory necessity. The challenge for CISO’s at public companies will be how they can balance promptness with thoroughness in assessing whether an incident is material.
The SEC’s definition of material cybersecurity incidents are nuanced and broad, including incidents that jeopardize (not only impact) the confidentiality, integrity and availability of systems and data.
This requires CISO’s (even with the comfort of self-determining materiality) to be able to substantiate their decision that jeopardy from the incident was not material. In the light of attackers weaponizing the SEC whistleblowing mechanisms, CISO’s must be able to methodically prove quickly that systems and data were not jeopardized - with the threat that attackers will prove them wrong.