In a recent ruling, the Securities and Exchange Commission (SEC) voted to adopt final rules on cybersecurity disclosure.
In a 3-to-2 vote on July 26, the SEC adopted rules that requires disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy and governance in annual reports. Among the rules, the ruling requires reporting material cybersecurity incidents to the SEC within four days of determining the incident is material.
“The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days,” says George Gerchow, IANS Faculty and CSO and SVP of IT, Sumo Logic. “One thing to note is that this ruling doesn’t require the reporting of technical details, but in the event of a breach, it will inevitably come down to tech at some point — and no company is prepared for that.”
The newly adopted rules are set to go into effect no later than Dec. 23, 2023. Small public companies will have a delayed effective date of June 2024.
“The recent SEC ruling is certainly a step in the right direction,” says Husnain Bajwa, VP of Product Strategy at Beyond Identity. “Requiring prompt disclosure of data breaches highlights the necessity of proactive accountability that begins long before a breach has occurred — especially when they are highly foreseeable. It’s clear that too many CISOs learned the wrong lessons from Uber’s cover-up and subsequent CISO conviction because despite the real challenges of cybercrime prevention, accountability for the custody of sensitive data remains paramount.”
Security leaders weigh in
What was your initial reaction to the recent SEC ruling?
Diego Souza, Global CISO at Cummins Inc: I believe that the SEC cybersecurity regulations recently put in place are a positive step towards improving the security of public corporations and protecting investors. The regulations require companies to promptly report any major cybersecurity incidents and share information about their cybersecurity risk management, including the board's role in overseeing these procedures. This will enable investors to make informed decisions about their investments and hold companies accountable for their cybersecurity policies.
Pam Nigro, Director/Chair of ISACA Board of Directors: I believe it will be significantly challenging to determine the materiality of a cyber incident. It will require a skill set that is currently not found in the cybersecurity field. Audit, finance and cybersecurity teams will need to work together quickly to determine if a security incident is material.
Another thought is regarding their party vendor software that is being used, how do you determine materiality on something that is used but not owned in your organization? According to the ruling organizations are not exempt from disclosing third-party cyber events.
Healthcare organizations under HIPAA have had a breach notification rule. It may have been easier to understand if there was an alignment with the two reporting requirements. The breach notification rule for HIPAA states that you must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach.
How do you see the ruling affecting the role of board of directors in cybersecurity and risk management?
Souza: The new SEC cybersecurity rule is having an impact on the role of the Board of Directors in cybersecurity and risk management in various ways. Firstly, the rule requires the Board to oversee the company's cybersecurity risk management program, which means they need to have a better understanding of the company's cybersecurity risks and the measures in place to mitigate them. Secondly, the rule mandates the disclosure of information about the company's cybersecurity risk management program, requiring the Board to be more transparent about the company's cybersecurity practices to investors and the public. Lastly, the rule increases the Board's accountability for the company's cybersecurity practices, which means they could be held liable for any damages incurred in case of a material cybersecurity incident.
Nigro: The Board needs to understand the organization’s cybersecurity risk and incident response program. Depending on the size of the Board, regular reporting will need to occur to the Audit and Risk Committee or a separate Cybersecurity Committee.
The Board will need some level of cybersecurity expertise on the Board. Also, cyber resiliency will also need to become a regular Board topic.
James Turgal, VP of Cyber Risk at Optiv: Cyber resilience can only be achieved with company-wide involvement — from the boardroom to the mailroom. So, getting corporate boards more involved in cybersecurity is a major victory form a cultural standpoint. Additionally, many board members still view security as a cost center. With more involvement in the cybersecurity program, the hope is that they’ll start to understand that cyber risk is a business risk and that their perceptions will shift to view security for what it truly is: a business enabler.
How do you think this ruling will impact the overall cybersecurity landscape?
Souza: The new rule aims to motivate companies to enhance their cybersecurity practices. It mandates that companies reveal details about their risk management procedures and the qualifications of their cybersecurity personnel. By doing so, the rule will expose those companies that do not prioritize cybersecurity and exert pressure on them to amend their ways. Ultimately, this will lead to an improved security landscape for everyone.
Nigro: Organizations will need to consider cyber incidents in aggregate. Those small cyber incidents may aggregate to material and subsequently need to be reported.
In light of this ruling, how can security leaders ensure their organization remains compliant?
Souza: To comply with cybersecurity rules, leaders must understand the requirements and what constitutes a "material" incident. Assess your organization's current cybersecurity and develop a plan to improve if necessary. Document your risk management program and promptly disclose any material incidents, including details about the incident's nature, scope and impact.
Nigro: Learn and understand the materiality level of the organization. Understand how deficiencies can roll up to significant deficiencies that may then build to a level of materiality in the organization. Simplify confusing, technical discussions
Partner with your Chief Information Officer (CIO), Chief Technology Officer (CTO) and your Chief Audit Executive Officer (CAE) to begin to correlate the inventory of systems and the materiality of each system. Then also look at the immaterial systems and correlate a list that which systems in aggregate could reach the level of materiality.
Complete this same exercise with the organization’s their party vendors. Review contracts and reporting requirements.
How can organizations streamline their incident response procedures to minimize response times and meet regulatory requirements?
Souza: Organizations can speed up their incident response procedures and comply with regulations by taking a few steps. Firstly, they must create a clear incident response plan that outlines the responsibilities of all stakeholders and the actions to be taken during an incident. Using automated tools and processes can help to automate tasks such as data collection, analysis and notification, making the response process more efficient. Regular drills and exercises are also crucial to ensure that the team is familiar with the plan and can execute it effectively in case of an incident. Staying up-to-date on the latest threats and trends can help to identify and respond to incidents more quickly and effectively. Lastly, it is important to regularly test and update the incident response plan to ensure it is up-to-date and meets the organization's needs.
Nigro: Review incident response plans and business continuity plans, make testing those plans a continuous process. This will show the areas needed for improvement and streamlining as well as build the muscle memory needed to respond quickly when an incident occurs.
Review all cybersecurity policies and procedures to ensure that they are “reasonably designed to mitigate cybersecurity risk.”