Industry reacts to new SEC breach disclosure rules
On Wednesday the US Securities and Exchange Commission (SEC) approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a 'material' impact on their finances.
This marks a major shift in how data breaches are disclosed and industry figures have been quick to give their views on the effect the new rules will have.
Joseph Carson, chief security scientist and advisory CISO at Delinea, says:
The latest US Security and Exchange Commission ruling will cause shock waves for publicly traded companies and their legal teams trying to assess how they can quantify and measure a 'material' impact to their finances within four days of a cyberattack.
Typically, within four days, organizations would be in the midst of trying to retain control over their systems from unauthorized access, rather than having to also try and determine any 'material' impact to their finances.
Most cyber-attacks have a cost but the big question in incident response will now be how to evaluate ‘material’ impact of an incident in such a small timeframe.
The real impact of the SEC ruling is now the need for Incident Response teams to have a significant investment to ensure they can meet this new cyber-attack disclosure requirement.
A major issue is that not all cyber-attacks are equal, and the question and focus on 'material' can result in many different assumptions such as data theft and how to quantify the 'material' impact.
George Gerchow, of IANS Faculty believes the move is a broadly positive one, "This ruling is a great step towards achieving accountability, to protect the consumers and the investor community. The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days. One thing to note is that this ruling doesn’t require the reporting of technical details, but in the event of a breach, it will inevitably come down to tech at some point -- and no company is prepared for that."
This echoed by Amit Yoran, CEO and chairman of Tenable, "The Securities and Exchange Commission’s (SEC) new rule on cyber risk management and incident disclosure is right on the money. For a long time, the largest and most powerful US companies have treated cybersecurity as a nice-to-have, not a must have. Now, it's abundantly clear that corporate leaders must elevate cybersecurity within their organizations."
Scott Kannry, CEO and co-founder of Axio, says companies will need to take steps to prepare:
By requiring companies to disclose 'material' breaches within four days, companies will need to take the right steps to be prepared ahead of time. To effectively comply:
- CEOs and Boards of Directors will need to finally understand cybersecurity risk and, therefore, provide the same oversight and governance they offer to all other types of material enterprise risks.
- In order to minimize their risk, security leaders must quickly model the potential impact (or lack thereof) of new and evolving threats within their own organization and more effectively determine if any mitigating actions should be taken.
- All key enterprise constituents need to have a better understanding of how cybersecurity events can impact the business and become more effective at minimizing impact – and acting quickly – if an event should occur.
All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground. By properly preparing, enterprises will not only be able to disclose breaches within the required timeline, but they and their shareholders will also have an understanding of their cybersecurity risk from a financial impact perspective for better prioritization and decision-making.
"Companies that have been breached would do well to focus first on showing a duty of care to their customers rather than the SEC. Class actions and a tattered reputation could be more damaging than a fine," says Paul Brucciani, cyber security advisor at WithSecure. "General counsels should advise their colleagues that a breach is not always a breach - calling a security incident a 'data breach' will not trigger SEC obligations. Until you are certain a breach has taken place, refer to it as an incident. Consider also using two investigation teams: one commissioned by external counsel to conduct a forensic investigation under legal privilege to educate the external counsel about aspects of the breach so that counsel can provide informed legal advice to its client; and if necessary, a second team to support the incident response team in: investigating and fixing the data breach."
Tara Wisniewski, EVP, advocacy, global markets and member engagement at (ISC)², believes the new rules are unclear:
While we support the fundamental principles of public disclosure to inform and protect shareholders, customers and other constituents, the SEC ruling is worryingly vague. It poses more questions than answers, and may create ambiguity for cyber professionals.
There are no concrete definitions for which cyber incidents must be disclosed, or what the SEC means by 'material impact'. There are millions of attempts on businesses daily, some unsuccessful, others partially so. Without clearer definitions, the rules are open to interpretation which could either lead to over-reporting, distracting cyber professionals from their main task of network protection, or under-reporting, which could expose cyber professionals to personal liability.
Jeffrey Wheatman, SVP, cyber risk evangelist at Black Kite, also says there will be questions around implementing the new rules, "With this ruling, companies will now have to notify the SEC of cybersecurity incidents that have a material impact on business operations four days after they declare it material and will be held accountable to disclose cybersecurity risk management, strategy and governance in their annual filings. This is a challenging process in which there are no current requirements or standards to follow today, and as a result, public organizations will likely be left with questions on how to implement these new regulations as part of their overall cybersecurity strategies."