SEC poised to beef up cybersecurity requirements for public companies

Earlier this year, the U.S. Securities and Exchange Commission (SEC) announced that it was proposing new rules to standardize disclosures by publicly traded companies related to cybersecurity risk management, strategy, governance, and incident reporting.

Although the rules have yet to be formally adopted by the agency, suggested requirements include:

• Current reporting about “material” cybersecurity incidents.
• Periodic updates about previously reported cybersecurity incidents.
• Periodic disclosures regarding a company’s policies and procedures to identify and manage cybersecurity risk.
• The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risks.
• And management’s role and expertise in not only assessing and managing cybersecurity risk, but also implementing cybersecurity policies and procedures.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," SEC Chair Gary Gensler said in a statement. "Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner."  

Following last year’s ransomware attacks against Colonial Pipeline, JBS, and numerous other public and private sector organizations, the Biden administration made improving the nation’s cybersecurity posture one of its top priorities. However, aside from mandating government agencies to adopt more robust cybersecurity protocols, the executive orders issued in the wake of these incidents could only recommend that private sector organizations embrace similar measures.    

According to Jason Rader, Global Vice President for Security and Chief Information Security Officer (CISO) at Insight Enterprises, the new requirements will not pose a significant burden for most public companies, many of which are already taking a proactive approach to cybersecurity and incident reporting. On the other hand, he sees the newly proposed rules as a way to motivate those few companies that may still be lagging behind.      

“There are some people who this is not a big deal for. They already have this stuff established and they are pretty comfortable with the majority of these things,” Rader explains. “It is usually trying to pull along some of the stragglers to get stuff in gear.”

As a former auditor, Rader says he has seen many ways that organizations try to “game” audits through the years and that these proposed rules are good way to establish clear guidelines that cannot be easily circumvented.

“It is kind of like asking, do you have smoke detectors? Yes. Are there batteries in them? Well, you didn’t say we had to put batteries in them – even though that makes them completely ineffective,” Rader says.

Among the most interesting of the proposed requirements, according to Rader, is board oversight of cybersecurity risk. Though corporate boards often pay attention to these sorts of risks today, the fact that responsibility will likely now be laid directly at their feet means that it will be good for improving working relationships between CISOs and boards, which has not always been the case within many organizations.

“Definitely engaging the CISO with the board and feeling comfortable reporting and talking about risk with the board is a good starting point,” Rader adds. “There has been talk about whether there should be a member of the board that is certified from a cybersecurity perspective or has a history or background in cybersecurity. Do I think a lot of people are going to be appointing folks to their boards that are cybersecurity experts? I doubt it, but it is possible or there may be folks that are retired and that may be a good place for CISOs to go after they retire, but I don’t think that is something a lot of people feel they have to run out and do.”      

Establishing Clear Guidelines and Definitions

Perhaps the greatest challenge that public companies will face when these rules are formally adopted is clearly defining what their incident response protocols will be in the event of a network intrusion or breach as well as figuring out what constitutes a “material” cybersecurity incident, which Rader says is subjective and could be interpreted differently depending on what happened in a particular incident.

“The SEC’s angle on this is to make it so that shareholders get the information they need. It is not necessarily like the payment card industry where they care about you processing information and keeping it private and processing credit card transactions,” he says. “The SEC wants to make sure that everyone is on equal ground, and we are disclosing stuff equally just like everybody else should, so people can make decisions based on that. So, material may be different depending on how you define that in different areas. When you do have to disclose in an 8-K, you have to say cause, scope, impact, materiality, and remediation. With all those things, we have to be comfortable with the level of detail that we give because when you say cause, I can go all the way down into, ‘Well, Russian threat actors finding a zero-day exploit and this particular thing using these tools, tactics and procedures came in and did this,’ or it could just be a vulnerability and a product that we used.”        

From his perspective, Rader says that materiality simply means how much your organization is affected, whether it impacts client organizations or your ability to deliver products or transact.

“That also helps you in your incident response plans as well, so there is some good double dipping that you can do with all of these things,” he adds. “How do we escalate up to executives? If it gets escalated to an executive level, it’s probably hitting the materiality perspective.”   

Rader says what CISOs, in conjunction with their general counsels, should be doing is preparing their boards for the types of questions they should be asking relative to cybersecurity risk mitigation moving forward, so they don’t think they can just buy technology or insurance to address the problem.  

“If you get a board member that thinks they are a security person and they believe, ‘Oh, we need [multi-factor authentication],’ or whatever their platform happens to be and ‘MFA will save us from everything.’ Then, all of a sudden, the focus becomes on this thing, you get it done and then they think their job is done here from a security perspective,” Rader explains. “I’ve talked to the boards of gigantic global financial institutions where they thought they were covered because they had insurance and an immutable backup. And I was like, ‘So, that just means you’re ready to pay the ransom or restore from a smoking crater of your business.’ That’s why you’ve got to train the board to ask the right questions. What are the greatest cybersecurity risks? Are we covered? Don’t just think about those technical controls that go in place, but also the administrative controls and physical controls, potentially, to keep you secure.”

Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at joel@securityinfowatch.com.     

Comments are closed.