Topics:
Last week, the U.S. Securities and Exchange Commission voted in favor of mandates requiring publicly traded companies to report cyberattacks that pose a “material impact” to the business.
The new set of SEC cybersecurity rules broadly requires public companies to disclose material cybersecurity incidents, historically defined as items that investors would want to know to make informed investment decisions. They also require companies to provide periodic reports on cybersecurity management practices, such as risk management, security strategy, and governance efforts.
The rules create concern among CISOs and security experts about what will ultimately constitute cyber incident materiality, the four-day timeline requirement for material disclosures, and whether companies will be asked to reveal so many details to potentially aid adversaries.
The experts we spoke with agree that the new rules show a shift among regulators from a focus on data breach disclosure to a more comprehensive view of digital risk. “To date, the attention has been focused on reporting data breaches with personally identifiable information, and the new SEC rule makes it clear that is woefully inadequate,” says Mark Rasch, Of Counsel, Kohrman, Jackson, & Krantz LLP.
While the new rules amplify the level of responsibility companies have when it comes to transparency with cyber-related incidents, the rules aren’t an entirely new burden on public companies. They are likely to confuse some in the beginning.
Caleb Sima, former CISO at Robinhood Financial, says the rule will place new burdens on the CISO office. “There will be some challenges, including what a company has to disclose and in what timeframe. These are the two points security professionals are expressing the most concern about,” he says. “Still, overall, I think the new rule is quite fair.”
Based on his experience responding to real-world incidents, Sima says that companies will likely realize an incident is material long before they understand the full extent of its materiality. “Once you determine whether something is material or not, that doesn't mean that you’re finished with figuring out what's fully going on and how material the incident will turn out to be. You may have uncovered that 1GB of data has been stolen, but what if they ultimately stole 50GB or 100GB of data, and your investigation has yet to uncover that? When these things happen, you and your team and others in the company are heads down doing everything they can to manage the situation, and four days is not much time,” he says. “You absolutely do not want to keep having to change your story as you uncover more information about the incident,” he adds.
The tight timeline can also create challenges during ongoing incidents, such as ransomware attacks. “When you're in the middle of negotiations with the threat actor, your job is gaining trust to extract as much information as you can from this person. And if the incident goes public during these negotiations, it can cause these threat actors to pull back [from negotiations] or dump data online. It’s not a great situation,” Sima explains.
Timelines aside, public companies have always been required to reveal conditions that could potentially impact the business, and these new rules formalize the process for cybersecurity-related incidents. “Publicly traded companies have always been required to share their material risks to their business to shareholders, and whether that’s the possibility of a worker strike or an earthquake that affects distribution, or an ongoing distributed denial-of-service attack, it’s always been something that has to be disclosed if it could affect investors’ decision as to invest or not,” explains Rasch.
Scott Crawford, information security research lead, S&P Global Market Intelligence, agrees yet adds that the new rules may not provide much further information for investors. “You can point to previous high-profile incidents and see which are material because those are public. Have there been material incidents that haven’t been disclosed? Maybe? I’m a little skeptical because if they were that material, they would have impaired the performance of the business in some material way, and I think most of those would become public.”
Enterprise cybersecurity experts are concerned that the new rule could expose companies to increased risk. “Suppose a company conducted a risk assessment and found serious vulnerabilities that will take months to rectify. A lawyer in the situation will advise that the disclosure includes that they identified material vulnerabilities in their technology systems and that we are addressing the situation. Still, it will take some time, and we could remain vulnerable for the next six months. What you’ve just stated is ‘attack me, please,’” explains Rasch.
That’s the paradox: “The more granular the disclosure is about the nature of the incident, the more useful it is to investors, but the more it increases your risk. So you end up with disclosures that are effectively pablum, particularly about where the risk was and its nature. It's tough to know what to tell them that won't worsen the problem," Rasch adds.
Crawford sees similar challenges but with the periodic disclosure requirements for cyber security management practices. “The biggest one will be establishing the reporting processes for identifying, assessing, and managing material risks. While it sounds straightforward, it will be difficult for them in practice, and they’ll devise a formulaic way to state what they are doing. Until then, it will be bumpy for them to determine how to properly describe these processes without detailing too much,” he says.
What type and magnitude of cybersecurity-related incidents will be material and require disclosure? SEC Rule 405, or Safe Harbor under the Securities Act of 1933, perhaps shows the way: materiality is "… those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered."
“That’s going to be a breach of sensitive data to the company, a breach of customer PII, or a disruption, denial of service attack, or other such incident,” explains Rasch. “When you had an incident, which is broader than a data breach, and based on your size, complexity, and the nature of your business, you must answer whether or not the event was material to investors,” he adds.
That does sound like a practice public companies should have long been engaged in. “This doesn’t move the needle by making it explicitly clear that material incidents must be disclosed,” says Rasch. “But the reality is whenever there’s been a major incident at publicly traded companies, and the lawyers find out about it, their advice would have been the same without the regulation.”
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
