Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
The Securities and Exchange Commission’s (SEC) has issued a landmark ruling on cybersecurity disclosure for public companies.
Starting as early as December 15, public enterprises will now be required to disclose “material” incidents within four days and reveal how they detect and address them while describing board oversight.
Not surprisingly, the response has been all over the board, with some calling it a step in the right direction regarding transparency and communication, while others describe it as a rear-view tactic.
Still, others argue that it could open companies up to more risk, not less, and many point out that four days isn’t nearly enough time to confirm a breach, understand its impact and coordinate notifications.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
Furthermore, there’s umbrage with the vagary of the wording around “material” incidents.
“If the SEC is saying this will be law, they need to be very specific with what they define as ‘material impact,’” said Tom Guarente, VP of external and government affairs at cybersecurity company Armis. “Otherwise, it is open to interpretation.”
New rules defined
The ruling is intended to increase visibility into the governance of cybersecurity and put greater pressure on boards and C-suites, according to the SEC. Providing disclosure in a more “consistent, comparable and decision-useful way” will benefit investors, companies and the markets connecting them, the agency says.
Per the new rules, public companies must:
- Disclose “material” cybersecurity incidents within four business days and describe its nature, scope, timing and material or likely material impact.
- Disclose processes for assessing, identifying and managing material risks from cybersecurity threats.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks.
The final rules will become effective 30 days following publication in the Federal Register and disclosures will be due as soon as December 15.
Identifying materiality, ensuring disclosures aren’t just more noise
Going forward, legal teams will need to consider what might be “material” in all sorts of scenarios, said Alisa Chestler, chair of the data protection, privacy and cybersecurity team at national law firm Baker Donelson.
For example, she pointed out, a breach that impacts the supply chain could be material after one day or three. Or, maybe theft of intellectual property has occurred and while it is material, does it impact national security and therefore merit a delay?
“Materiality will be very much based on cyber and operations,” she told VentureBeat.
However materiality is defined, the optimal outcome is that notifications will not only protect investors and consumers but inform collective learning — namely, that public companies and other entities glean actionable lessons learned, said Maurice Uenuma, VP and GM at data erasure platform Blancco.
“If these breach notifications just become more noise for a world becoming numb to the steady drumbeat of breaches, the effort won’t yield much benefit,” said Uenuma, who is also former VP of Tripwire and The Center for Internet Security.
Private companies take note
This isn’t just an issue for public companies, experts emphasize.
“It’s very important to realize that while this law is directed at public companies, it’s really going to trickle down to all companies of all sizes,” said Chestler.
She pointed out that public companies are reliant on many smaller software and supply chain companies, and a cyberattack at any point along that chain could have a material impact.
Contractually, public companies will need to start to think about how they can flow down properly for their own protection. She said this could mean implementing vendor management programs instead of just vendor procurement programs and regular agreements and contract re-evaluations.
This means that private companies should be closely watching developments so they can be prepared for increased scrutiny of their own operations.
Addressing and revising processes
The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days, said George Gerchow, CSO and SVP of IT at cloud-native SaaS analytics company Sumo Logic.
As such, they will have to address and likely revise how they discover potential vulnerabilities and breaches and reporting mechanisms. That is, he posited, if a security team discovers the breach, how do they report it to the SEC and who does it — the CISO, general council, a cybersecurity working group or someone else within the organization?
Finally, “having cybersecurity presence on board is critical, and it’s time for CISOs to begin preparing themselves for board positions — and for companies to position qualified CISOs on their boards,” he said.
Getting boards on board
Bridging the divide between CISOs and boards starts with a two-way discussion, emphasized David Homovich, solutions consultant in the office of the CISO at Google Cloud.
Security leaders should regularly brief board members and provide them an opportunity to ask questions that help them understand the security management team’s priorities and how those align with business processes, he said.
CISOs would do well to avoid focusing on one specific cybersecurity issue or metric that can often be complex and difficult to understand. Instead, they should engage at a broad enterprise-wide risk management level where “cybersecurity risk can be contextualized” and cybersecurity challenges can be made “more digestible and accessible.”
For instance, techniques like scenario planning and incident analysis help place an organization’s risks in a real-world context.
“Board involvement can be challenging, as board members often do not have the in-depth expertise to closely direct the management of that risk,” said Homovich.
Even if a board member has relevant experience as a CIO, CTO or C-suite role, it can still be a struggle because they are not directly involved in day-to-day security operations.
“A board’s understanding of cybersecurity is more critical than ever,” he said, pointing to surges in zero-day vulnerabilities, threat actor groups, supply chain compromises and extortion tactics designed to hurt company reputations.
“We predict that boards will play an important role in how organizations respond to these trends and should prepare now for the future,” he added.
Answering critical cybersecurity questions
Homovich pointed out that the majority of large companies — particularly those in highly regulated industries — will not need to dramatically shift their approach to board oversight. Instead, there will likely be a significant adjustment on the part of small-to-medium-sized public companies.
He advised CISOs to immediately engage their C-Suite counterparts and board members and ask questions such as:
- ‘How good are we at cybersecurity?’ That is, “company leadership should have a strong understanding of the people and expertise on the cybersecurity team and their experiences,” he said.
- ‘How resilient are we?’ CISOs should be prepared to answer questions about how they can keep businesses running through such an event as a ransomware attack, for instance.
- ‘What is our risk?’
CISOs should revisit their management framework and ensure it addresses five key areas: current threats; an explanation of what cybersecurity leadership is doing to mitigate those threats; examples of how the CISO is testing whether mitigations are working; the consequences if those threats actually happen; and risks that the company is not going to mitigate, but will otherwise accept.
Collaborating internally and externally
But collaboration isn’t just important internally — security leaders should be “robustly engaging outside experts” through such groups as the CISO Executive Network, Chestler said. This can help build camaraderie and share best practices, “because they continue to evolve.”
Indeed, in today’s threat landscape, technology isn’t enough, agreed Max Vetter, VP of cyber at training company Immersive Labs. Enterprises must also invest in cyber resilience and people’s preparedness for attacks.
“People need to know how to work together to mitigate an attack before one actually occurs,” said Vetter. “With a people-centric cybersecurity culture and approach, we can make the most of our investments while measurably reducing risk.”