Clock Starts on SEC Cyberattack Rules: What CISOs Should Know

The Security and Exchange Commission’s rules policing disclosure and documentation of cyberattack incidents were adopted in July and started going into effect on December 15. Today, the remaining rules will apply to all public companies.

The rules will require businesses to disclose any cybersecurity incident they determine to be material and to disclose the incident’s scope, nature, and timing along with material impact. The rules also require organizations to describe processes for assessing, identifying, and managing material risks from those threats as well as the board of directors’ and management’s role in assessing and managing risk. The written disclosures must be filed within four business days of the event’s discovery.

“Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way…”

New Rules Impact on CISOs

Chris Pierson, founder and CEO of cybersecurity firm BlackCloak, tells InformationWeek in an interview that the new rules will have a significant impact on the role of CISO.

Related:SolarWinds, CISO Targeted in SEC Lawsuit

“What CISOs should be doing is analyzing and assessing what are the material controls they have at the company,” he says. “How are they positioned from a risk appetite perspective? How are they working with executive leadership?”

While many businesses have prepared for the new rules, there’s a possibility that cyberattackers will use the new timeframe requirements to add pressure to negotiations. “Cybercriminals have shown that if they are willing to control the timeline, they are able to prompt people into action,” Pierson says. “If you tell people that we will expose your data within seven days unless you pay us -- that creates a time clock and a scenario where the power goes to the cybercriminal.”

He adds, “A regulatory time mandate creates a new pressure cooker situation for CISOs, their teams and companies at large.”

Another issue is that incidents at large organizations take time to investigate, Pierson says. “Nobody knows, in four days, the true nature and extent as to what has occurred and what the impact will be. So, you might be coming out and saying something happened, but you don’t know exactly what that is yet.”

Brian Neuhaus, CTO, Americas at cybersecurity firm Vectra AI, told InformationWeek via email that practice can help when it comes to the new disclosure rules. “Organizations must be well-prepared in advance of SEC’s new public disclosure policy … Conducting tabletop exercises is a highly effective and practical approach for rapid response to potential threats. It’s important to expand these exercises to include practice in filing the mandatory components as required by the regulations,” he says.

Related:Data Breaches Just Keep Piling Up

Reputation, Neuhaus says, is still manageable with the right communications plan. “Having prepared statements ready is essential for controlling the public narrative. Ensuring that the entire team, from the board downwards, is prepared will streamline the process.”

Mike Scott, CISO at Immuta, says in an email that the SEC’s new rules will force companies to develop a “mature incident response plan.” He adds, “With the continual evolution of security threats, frequency of third-party breaches, and ever evolving laws and regulations, the stakes remain high for CISOs and their security teams to not only act but to act fast … While it’s impossible to plan for every possible scenario, a mature incident response plan, properly trained staff, and the right tools and services will help ensure the post outcome in the event of an incident.”

Related:Will More Threat Actors Weaponize Cybersecurity Regulations?

Responsibility to Consumers, Investors

While the new requirements will surely cause headaches for security teams and C-suite executives, the purpose of timely disclosure is to benefit the general public and investors.

“Ultimately, people deserve the right to know if their data has been exposed,” Scott says. “Organizations need to understand the responsibilities of collecting, storing and analyzing data and the consequences of misuse -- it’s the ethical thing to do.”

During a June speech, SEC Enforcement Director Gurbir S. Grewal, warned against companies trying to subvert the new guidelines, saying the government will have “zero tolerance for gamesmanship” when it comes to cybersecurity disclosures.

“When there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents,” he said. “We fully understand that when … a public company is breached, it can be disruptive and expensive … but we cannot lose focus of the fact that those decisions directly impact customers whose private or financial information has been compromised…”