Clock Starts on SEC Cyberattack Rules: What CISOs Should Know
New federal rules will require public companies to disclose cybersecurity incidents as well as material risks from threats. Experts say the rules could be tricky to navigate and leave openings for exploitation by threat actors.
At a Glance
- Federal rules requiring a tighter timeframe from disclosing cyberattacks are now in effect.
- CISOs at public companies need to make sure they understand how the new rules will impact their security teams.
- While the new rules may prove costly for some companies, government officials say the public will benefit.
The Security and Exchange Commission’s rules policing disclosure and documentation of cyberattack incidents were adopted in July and started going into effect on December 15. Today, the remaining rules will apply to all public companies.
The rules will require businesses to disclose any cybersecurity incident they determine to be material and to disclose the incident’s scope, nature, and timing along with material impact. The rules also require organizations to describe processes for assessing, identifying, and managing material risks from those threats as well as the board of directors’ and management’s role in assessing and managing risk. The written disclosures must be filed within four business days of the event’s discovery.
“Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way…”
New Rules Impact on CISOs
Chris Pierson, founder and CEO of cybersecurity firm BlackCloak, tells InformationWeek in an interview that the new rules will have a significant impact on the role of CISO.
“What CISOs should be doing is analyzing and assessing what are the material controls they have at the company,” he says. “How are they positioned from a risk appetite perspective? How are they working with executive leadership?”
While many businesses have prepared for the new rules, there’s a possibility that cyberattackers will use the new timeframe requirements to add pressure to negotiations. “Cybercriminals have shown that if they are willing to control the timeline, they are able to prompt people into action,” Pierson says. “If you tell people that we will expose your data within seven days unless you pay us -- that creates a time clock and a scenario where the power goes to the cybercriminal.”
He adds, “A regulatory time mandate creates a new pressure cooker situation for CISOs, their teams and companies at large.”
Another issue is that incidents at large organizations take time to investigate, Pierson says. “Nobody knows, in four days, the true nature and extent as to what has occurred and what the impact will be. So, you might be coming out and saying something happened, but you don ’t know exactly what that is yet.”
Brian Neuhaus, CTO, Americas at cybersecurity firm Vectra AI, told InformationWeek via email that practice can help when it comes to the new disclosure rules. “Organizations must be well-prepared in advance of SEC’s new public disclosure policy … Conducting tabletop exercises is a highly effective and practical approach for rapid response to potential threats. It’s important to expand these exercises to include practice in filing the mandatory components as required by the regulations,” he says.
Reputation, Neuhaus says, is still manageable with the right communications plan. “Having prepared statements ready is essential for controlling the public narrative. Ensuring that the entire team, from the board downwards, is prepared will streamline the process.”
Mike Scott, CISO at Immuta, says in an email that the SEC’s new rules will force companies to develop a “mature incident response plan.” He adds, “With the continual evolution of security threats, frequency of third-party breaches, and ever evolving laws and regulations, the stakes remain high for CISOs and their security teams to not only act but to act fast … While it’s impossible to plan for every possible scenario, a mature incident response plan, properly trained staff, and the right tools and services will help ensure the post outcome in the event of an incident.”
Responsibility to Consumers, Investors
While the new requirements will surely cause headaches for security teams and C-suite executives, the purpose of timely disclosure is to benefit the general public and investors.
“Ultimately, people deserve the right to know if their data has been exposed,” Scott says. “Organizations need to understand the responsibilities of collecting, storing and analyzing data and the consequences of misuse -- it’s the ethical thing to do.”
During a June speech, SEC Enforcement Director Gurbir S. Grewal, warned against companies trying to subvert the new guidelines, saying the government will have “zero tolerance for gamesmanship” when it comes to cybersecurity disclosures.
“When there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents,” he said. “We fully understand that when … a public company is breached, it can be disruptive and expensive … but we cannot lose focus of the fact that those decisions directly impact customers whose private or financial information has been compromised…”
Read more about:
RegulationAbout the Author
You May Also Like