‘Game-changer’: SEC rules on cyber disclosure would boost security planning, spending

Did you miss a session at the Data Summit? Watch On-Demand Here.

New rules proposed by the U.S. Securities and Exchange Commission (SEC) that would force a prompt disclosure of major cyberattacks are expected to drive a dramatic improvement in security posture among U.S. companies, cyber industry executives told VentureBeat.

The proposed SEC rules include a requirement for publicly traded companies to disclose details on a “material cybersecurity incident” — such as a serious data breach, ransomware attack, data theft or accidental exposure of sensitive data — in a public filing. And under the proposed rule, the disclosure would need to be made within just four business days of the company determining that the incident was “material,” the SEC said.

While the SEC’s main motive is to provide investors with more information about corporations’ cyber risk, increased planning and spending around security by many U.S. companies are likely outcomes, cyber executives said.

“The truth is that compliance is by far the bigger driver in cybersecurity than the desire to be more secure,” said Stel Valavanis, founder and CEO of managed security services firm OnShore Security.

‘They will spend more money’

The proposed SEC regulation doesn’t spell out a required enhancement of corporations’ security posture, per se — but “the visibility it does require will have that effect,” Valavanis said.

In other words, “yes, they will spend more money to prevent ever having to disclose a breach,” he said. “But they will also do things in a smarter way that allows them to have the data, and the process, to more accurately assess a breach and report the impact. To me, that’s a game-changer.”

Karthik Kannan, CEO of cyber threat detection firm Anvilogic, agreed, saying that “regulations and compliance drive better posture — which in turn always translates into more investment.”

Specifically, the new rule around disclosing “material” cybersecurity incidents would require filing of an amended Form 8-K with the SEC.

Other proposed SEC rules would require publicly traded firms to provide updated information about cybersecurity incidents that had previously been disclosed — as well as require the disclosure of a series of prior cyber incidents that, “in the aggregate,” have been found to add up to having a material effect on the company.

Improving transparency

In a news release, SEC Chair Gary Gensler called cybersecurity “an emerging risk with which public issuers increasingly must contend.”

“Investors want to know more about how issuers are managing those growing risks,” Gensler said — noting that while some publicly traded companies already disclose such information to investors, “companies and investors alike would benefit” from consistent and comparable disclosure of cyber incidents.

The SEC said the comment period on the new rules will run for 60 days, or through May 9.

The proposed rules are a “good move” by the SEC, given that current rules “have essentially allowed companies to disclose this critical information” of their own accord, said Ray Kelly, fellow at NTT Application Security.

That, of course, has meant that many incidents have not been disclosed promptly — or at all.

“Although we are unable to determine the number of material cybersecurity incidents that either are not being disclosed or not being disclosed in a timely manner, the staff has observed certain cybersecurity incidents that were reported in the media but that were not disclosed in a registrant’s filings,” the SEC said in a document on the proposed rule.

‘Material’ incident

In terms of what constitutes a “material” cybersecurity incident, the SEC cited several past cases. From the SEC document on the proposed rules:

Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

In the document, the SEC provided a number of examples of cybersecurity incidents that could fit the criteria for being “material”:

  • An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
  • An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
  • An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
  • An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
  • An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

The proposed rule amendments are an important step toward increasing transparency and accountability in cybersecurity, said Jasmine Henry, field security director at cyber asset management and governance solutions firm JupiterOne.

“It’s a public recognition that security is a basic right and that organizations have an ethical responsibility to their shareholders to proactively manage cyber risk,” Henry said.

Incident recovery

In particular, Henry said she is encouraged by the SEC’s attention toward cyber incident recovery in the rules proposal. As part of the regulation, the SEC would require disclosure of whether companies have assembled plans for business continuity, contingency and recovery in the event that a major cybersecurity incident occurs.

“Applying meaningful change is the most important part of learning from a cybersecurity incident,” Henry said.

As far as incident response (IR) goes, organizations are going to need to ramp up their IR plans if the SEC rules end up being adopted, according to Joseph Carson, chief security scientist at privileged access management firm Delinea.

Currently, four days after the discovery of a data breach, many organizations “are still trying to identify the impact,” Carson said.

Thus, many security teams would need to shift to a position of being “IR-ready” if the SEC rules are adopted, he said.

Brian Fox, CTO of application security firm Sonatype, said he questions whether four days is the right amount of time for requiring cyber incident disclosure, though.

Too short?

In severe attacks, companies are still usually in triage and response mode — where sufficient details are not yet known, Fox said. That could potentially lead to misreported information, he said.

In general, though, “more transparency will lead to more accountability and investment in proper protections within organizations,” Fox said.

If the rules are adopted, and businesses end up in a “scramble to validate their posture,” many will realize that “their security solutions are underperforming,” said Davis McCarthy, principal security researcher at cloud-native network security services firm Valtix.

“Companies will want to offload their risk,” McCarthy said, which could further accelerate the shift to cloud platforms that take responsibility for securing hardware infrastructure.

Another notable component of the proposed rules is a section that would require the disclosure of any board member who has expertise in cybersecurity. That would potentially highlight whether a company’s board “has the right people doing the job,” McCarthy said.

‘About time’

All in all, the adoption of these rules should have a positive effect on cybersecurity as a whole, executives said.

Without a doubt, “increased reporting on cyber posture and what companies are using for risk management will drive additional investment in this area,” said Padraic O’Reilly, cofounder of cyber risk management firm CyberSaint.

And “it’s about time,” said Alberto Yepez, cofounder and managing director at venture firm Forgepoint Capital — given the many indications that overall security posture among businesses is headed in the wrong direction.

For instance, 83% of organizations experienced a successful email-based phishing attack in 2021, versus 57% the year before, according to Proofpoint. Meanwhile, data leaks related to ransomware surged 82% in 2021 compared to 2020, CrowdStrike data shows.

Hopefully, with the new cyberattack disclosure requirements proposed by the SEC, “this is the beginning of a tsunami of change in corporate governance,” Yepez said.

Originally appeared on: TheSpuzz