In July, the United States Securities and Exchange Commission (SEC) announced that it would require public companies to disclose their cybersecurity risk management strategies and governance practices annually, as well as any material cybersecurity incidents.
A new report released this month from cyber risk monitoring firm ISS Corporate Solutions (ICS), found that in advance of the rules taking effect, companies are making a concerted effort to signal to stakeholders that they have an effective approach to managing cybersecurity threats.
“The SEC’s new cyber disclosure rules are a forcing function for management teams and boards,” said Doug Clare, managing director and head of cyber strategy at ISS Corporate Solutions, via a statement. “As companies will now need to make more robust disclosures about their cyber risk management practices, the rules will undoubtedly compel many firms to adopt more robust processes worthy of the disclosure.”
However, some other cybersecurity experts warn that much still needs to be done.
Four Day Reporting
The SEC rules include that any cybersecurity incidents are reported within four business days once the materiality of the cybersecurity incident is determined. However, critics argue that four days is not enough time to confirm a breach, understand its impact, and coordinate notifications.
“Experienced security leaders know that many security incidents – including those impacting consumers – go unreported. For example, as the DOJ investigation of Uber involving Joe Sullivan revealed, companies may go to great lengths to avoid public breach disclosures,” explained Paul Valente, CEO & co-founder at VISO TRUST.
“This lack of transparency hurts both investors and consumers alike and can benefit threat actors immensely,” Valente told ClearanceJobs.
For investors, not knowing a material incident may have occurred, investment decisions may be made under false pretenses, only to lead to losses when the breach is finally brought to light.
“Consumers can of course experience irreparable harm through data leaks and identity theft that could have been partially or completely mitigated if appropriate timely disclosure had occurred,” Valente continued. “Threat actors in secrecy can proceed to commit fraud unabated and having both the knowledge of the breach and the power to influence disclosure timing, can themselves take advantage of market swings that can occur once the breach has been disclosed.”
Resilience And Response
The SEC’s directive is also a sign that pressure is being put on all companies and organizations to invest in their cybersecurity resilience and response.
“The four business days reporting rule seems aggressive but it’s a lot better than the 24 hours proposed by the EU Cyber Resiliency Act in similar guidelines in Europe,” George McGregor, vice president at cybersecurity provider Approov, told ClearanceJobs.
“The industry response to the SEC requirements will be similar to the unified response which met the EU Cyber Resilience Act, which was to complain about the time to put everything in place and the short reporting requirement,” McGregor added. “Nevertheless, this trend will continue, and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response.”
Transparent Approach
There are many cases of companies taking a more transparent approach, including not only disclosing breaches but even potential cyber attacks as they unfolded, empowering investors, consumers, and partners to take action and make better decisions to protect themselves.
“The purpose of the SEC requirements are to protect investors from making naive investment decisions due to the withholding of information that could reasonably impact the value or performance of the investment,” said Valente. “While early disclosure based on incomplete information can add uncertainty, the SEC’s position is that this is both justified and far favorable to the impact of the deceptive withholding of pertinent information.”
The Devil is in the Details
Though the clock will be ticking, there shouldn’t be added challenges when firms are asked to detail the requested information regarding a cybersecurity incident.
“The new requirements don’t dictate anything above or beyond what is already accepted as a reasonable effort based on existing industry standards,” said Valente. “They effectively increase awareness and support for current industry standards and should ultimately contribute to better transparency, and as a result more support and funding for security teams.”
However, Valente also told ClearanceJobs that doing the right thing starts at the top.
“For companies not already taking security seriously, these new requirements should serve as a wakeup call for boards to get educated and to establish oversight with regard to security. Companies need to take security seriously, expect to be breached, and be prepared to respond,” he continued.
“Chief information security officers (CISOs) have been given a pass on third party security for many years and taken a ‘not my problem’ stance, at least in part because digital transformation has led to a very large number of third party interactions the industry best practices for assessment have dictated flawed processes for assessing third parties using ineffective means such as security questionnaires and surveys,” Valente added. “Modern companies will solve this by taking advantage of AI to enable evidence-based analysis efficiently and at scale, increasing fidelity and minimizing resource constraints.”
