The SEC cybersecurity disclosure rules have put a spotlight on the issue of cybersecurity within organizations. The core of the rules and related guidance can be found in the article “Assess Your Readiness Now for the SEC Cybersecurity Disclosure Rules.“ The SEC cybersecurity disclosure rules should help build momentum around the importance of governance and risk management, relevant expertise, and timely incident disclosure that are fundamental to cybersecurity programs. The disclosure rules won’t address all the inherent challenges of cybersecurity. But it’s worth further examination into the impacts of the SEC rules and where additional problems might arise. Below, you’ll find my takeaways after digesting numerous materials on the subject and mapping to my experience that informs the gray area.
How we got here
In my years as a practitioner, leader, and advisor, I’ve witnessed countless cybersecurity programs in various states of maturity. I’m more shocked when I see appropriate, mature approaches than when I observe broken processes or inappropriate use of technology. Advisory discussions would often start with disclaimers such as “there are no stupid questions” or “I’ve seen it all, and please don’t feel embarrassed.” Transparency and level-setting are key in understanding the current state so that I can guide effectively and help someone improve.
Given the option, the painful truth is that many organizations will do the bare minimum for security. Do you tailor a security program so that it’s compliant, or do structure a program that’s all-encompassing that mitigates all types of threats? A program can be designed with both approaches in mind, but decision makers may weigh one heavier than the other. More often than not, the compliant approach will be selected over fear of regulatory backlash in spite of lingering security risk.
Effective security is often recommended but rarely mandated
Mature cybersecurity programs are incredibly difficult to implement and operate. They can also be costly. This outcome is rarely due to weak technology. Rather, poor security is a byproduct of many other factors such as lack of information, conflicting politics, reduced budgets, resource constraints, or human psychology.
Where the rules support cybersecurity
Requiring transparency with disclosure of security expertise, governance and risk management processes, and material incidents should help light a fire under the leadership of lower-performing organizations. Realistically, this should also create other positive effects such as boosting national cybersecurity, improving software supply chain security, and mitigating the impact from security incidents, and reducing any resulting temporary market volatility.
CISOs might finally get a seat at the table
A concern that’s often expressed by security leaders is that security initiatives fall on deaf ears or become under-funded, leading to ineffective operation of the security program. The rules can help facilitate a “seat at the table” and board exposure for CISOs and security leaders. The SEC rules should help raise awareness and improve communication between the board, executive leadership, and security leaders within organizations.
The rules have also helped renew awareness around cybersecurity and the need for all manner of organizations to have established cybersecurity programs. Effective programs should detail how the organization governs itself and approaches risk analysis, risk management, incident response, and more. This also helps boosts investor confidence (and indirectly customers or employees) that organizations have what is necessary to secure critical systems, protect sensitive data, and respond quickly to security incidents that can result in data breaches.
Intellectual property and threat intel are preserved
Despite initial criticism, the final rules will help protect the intellectual property of companies with respect to architecture, risk management, and threat detection and response processes. Explicit details of what happened in a given material incident or how the organization remediated and recovered from it don’t need to be disclosed. This was a major point of concern seen in the feedback to the proposed rules. Disclosing deep technical details could tip off attackers on how to exploit an impacted publicly traded company by providing details of the inner workings of its systems and security controls. It might also have other negative impacts in the threat intelligence community and sharing of information.
Where the rules cause heartburn
The SEC was able to address many of the concerns that were expressed during the public review of the rules, but not all companies will be happy. Impacts may be felt harder by small to midsize organizations that are already challenged with staffing or budget issues. Provisions were made for smaller organizations in what information they need to disclose as well as the time allotted to become compliant, but the pains will still be felt.
Disclosure windows were already tight and getting tighter
Four days is tight for unearthing all details of a given material cybersecurity incident. This timeline may also be extended if the company is working with law enforcement or the FBI. Detecting that an incident occurred is only one facet though and arguably the least difficult. Organizations also need to assess what damage occurred and whether the incident had material impact so that it must be disclosed to the SEC. Cyber incidents occur quickly in the cloud. Four days will be a very high bar for most organizations.
The rules might encourage companies to not disclose from the point they first discover the signs of a security incident. Companies will likely require more time to properly assess materiality. Companies may also not want to tip off attackers. There’s knowledge to be gained by taking time to observe attacker tactics, techniques, and procedures for the sake of attribution or to fully understand an attack chain. Disclosure may also complicate digital forensics efforts or inhibit incident response processes. A company might also invite too much public scrutiny by disclosing early which could adversely affect stock price.
Materiality is still open to interpretation
Materiality can be considered subjective and gives organizations wiggle room on disclosing an incident they deem immaterial. Guidance on determining materiality is usually defined by financial factors and in the eyes of auditors. Cybersecurity is a different animal, and companies have been known to downplay risk or business impact to avoid financial penalties or negative media attention.
Small security incidents alone may be deemed immaterial, but in the aggregate, those incidents become material. Attackers can and do use chain attack techniques, sometimes over longer time periods. You must track, correlate, and re-assess incident data over time to know if materiality changes.
We need better definitions of cybersecurity expertise
There’s no golden standard for cybersecurity expertise yet, which is unlike some other (often highly regulated) professions that require years of education, training, apprenticeships, and on-the-job experience. The SEC rules provide minimal clarity here for management (CISO) roles. Expertise “may include, for example: prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.” To a practitioner, these descriptors couldn’t be more vague, and the breadth and depth of cybersecurity is massive. Without explicit technical detail, it’s easy to inflate experience. Though there are clear distinctions between practitioners and leaders, you still need technical understanding to properly assess incidents and run a program, even if it’s another team handling the work. Organizations like the Digital Directors Network (DDN) are working to bring objectivity to these experience measures and connect qualified technology experts (QTE) with boards that are looking to augment their own expertise.
Management might overstate their security expertise to avoid board scrutiny and/or quickly complete an annual SEC filing. Defining what training or experience constitutes efficacy in cybersecurity is a tricky proposition since knowledge and skill comes from many avenues. The requirement for board cyber expertise was removed in the final version of the rules. Many industry veterans express that companies are more effective in cybersecurity when everyone, including the board, is speaking the same language. The board is in a position of authority where it can steer a company into dangerous territory by failing to adequately prioritize cyber initiatives. Lack of familiarity with cybersecurity can stifle risk analysis, even if it’s just to quickly assess the abilities of management or the company’s cybersecurity program.
The role of the CISO is also relatively new in the C-Suite. Some organizations don’t staff a CISO formally, use virtual or fractional CISOs, or they delegate duties to their CIO. Smaller organizations, based on resourcing or awareness of cyber-risks, may not even have a CIO. It’ll likely be a case of diminishing returns with respect to the quality or accuracy of the assertions made about a company’s cybersecurity program for smaller entities.
Cybersecurity governance and risk management need baselines
Prescriptiveness is lacking regarding what standard organizations should or need to follow for their cybersecurity and risk management programs. Consensus might point to frameworks like the NIST CSF or standards like NIST SP 800–53, but there’s a broad spectrum of other guidance, standards, and policies that impact these choices. The court of public opinion might also influence this. The ambiguity can also be a boon for some companies that need more time to flesh out one or more aspects of their cybersecurity programs. Frankly, many organizations need to invest more time and resources into maturing their cybersecurity in order to effectively prevent, detect, and respond to security incidents. “What is a measure of good?” and “Where do we start?” were and still are common questions. Many practitioners and leaders simply don’t know where to start. Or they have little time or expertise to review lengthy maturity models or objectively verify their own processes against those models.
Compliance drives up cost in a time of economic uncertainty
It’s no secret that governance, risk, and compliance efforts often consist of manual, human-driven, and time-consuming processes. This stands opposed to cost-reduction efforts.
Cost is always an inhibiting factor in business, but it’s particularly true for cybersecurity and within current macroeconomic conditions. Most if not all companies have had to re-evaluate their capital and operating expenses. Staff may need to be reduced. Mature organizations are quickly ramping up on automation of security validations and attestations (i.e., continuous compliance). There are also other significant technological forces in play that will greatly impact how companies staff and operate, particularly the rapid adoption of LLMs like Bard and ChatGPT.
Historically, security tooling is inadequate or piecemeal, organizations are still being compromised, and management needs to re-orient its spend. Some organizations may opt to focus on staying competitive by forgoing expensive risk management and governance processes at the risk of being investigated by the SEC later. Organizations would be better served by examining where and how they spend and whether security tooling provides sufficient insight into operating environments to mitigate cyber risk.
Where lingering questions remain
We may see amendments to the SEC cybersecurity disclosure rules over time as they are put into practice, but they are considered final and effective 30 days after publication to the Federal Register. Some of these concerns were expressed during the rounds of review of the proposed rules and heard during the SEC Open Commission Meeting on July 26, 2023. They’re worth keeping an eye on as you implement or revamp your cybersecurity program and adhere to SEC disclosure requirements.
Will the quality of disclosures decline?
Suppressing details of cyber events or downplaying cybersecurity risk is common. This can directly affect materiality, which by itself can be subjective. Many public entities already don’t do an adequate job today with the timing and quality of SEC disclosure obligations, including Internal Control over Financial Reporting (ICFR) status. The picture might worsen for the cybersecurity disclosure rules. Organizations will templatize responses for the SEC forms to maintain consistency and keep information to a minimum so as not to invite undue scrutiny. This begs the question whether the rules are truly benefiting investors or resulting in another pile of data to sift through as it all gets dumped into SEC’s system, Electronic Data Gathering, Analysis, and Retrieval (EDGAR).
There will likely be a deluge of disclosures that the SEC as well as other entities like CISA, DOJ, and FBI have to ingest, correlate, manage, and/or validate. Some of this is a byproduct of the SEC cybersecurity disclosure rules, but it’s also part of the bigger picture of the National Cybersecurity Strategy. How will all these federal agencies keep pace, and will they need to staff up? The US is essentially attempting what many security programs fail at: centralizing many aspects of a program and promoting increased governance and oversight. Most cybersecurity programs go in the direction of decentralization with security guardrails and streamlined governance in order to scale.
How do you rationalize conflicting disclosure timelines?
Organizations face different timelines with respect to incident disclosure. The SEC wants material incidents disclosed within four business days or 96 hours. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires disclosure within 72 hours and 24 hours for ransomware payments. The Department of the Treasury’s Office of Foreign Assets Controls (OFAC) expects organizations to report ransomware activity and payments as soon as possible as part of anti-money laundering and countering the financing of terrorism (AML/CFT) efforts. There will no doubt be confusion for organizations about what information must be reported, to whom, and how quickly.
Ambiguity also remains over the exception process when a public entity is collaborating with the DOJ as part of a security incident that presents national security risk. What does this process look like effectively? How would an organization even know if the risk of a security incident is that elevated? Does attack attribution to threat actors operating within authoritarian nation-states act as a qualifier? And would a company gain access to additional intelligence that might help them make this risk determination?
To what extent are companies responsible for supplier risk?
All organizations are part of partner and supplier ecosystems that make up software supply chains which increases risk. No company, regardless of industry, operates all aspects of the business independently, nor does it build and deliver services in a vacuum. Security risks are often greater for smaller organizations since they lack all the necessary resources for running effective cybersecurity programs. They may receive extensions and exceptions as part of the final rules, but they will still be required to disclose.
Smaller organizations may also not be publicly traded where the SEC rules apply directly, but these types of private companies may quickly find themselves thrust into the world of SEC disclosure forms when their partners or suppliers must disclose. Non-publicly traded software vendors may be one of the first to feel the brunt of this. The picture worsens in the case of open-source software projects. All but the most mature projects lack some form of governance, let alone staff who would be equipped to provide appropriate information needed for SEC disclosures.
How do you avoid drowning in the firehose of cyber incidents?
Many companies experience a wide spectrum of security incidents, on a regular basis, and sometimes in high volumes. Most security practitioners would interpret “material incidents” to mean those security events that result in privilege escalation, remote code execution, system compromise, account takeover, data breach or some other technical outcome. This is a different definition from that of the accounting world and the intent of the SEC disclosure rules.
Security teams need to gather enough event data to understand if a given security event created a business impact or that might also impact materiality. This analysis requires a number of mental leaps that go beyond the mindset of a traditional cybersecurity practitioner. Without well-defined processes and thresholds for triaging security incidents to determine materiality, security teams will be inclined to throw everything at management and over-report. Otherwise, security teams and their leadership risk potential repercussions from their employers for failure to report issues that are later deemed material. Combine this with the realization that many organizations limit themselves to scanning for known vulnerabilities in their networks and drive remediation from there, and you’re left with a grim picture of cybersecurity effectiveness.
Two steps forward, one step back for cybersecurity
The SEC cybersecurity disclosure rules have put a spotlight on the issue of cybersecurity within organizations and promote accountability in publicly traded firms. They will help build momentum around the importance of governance and risk management, relevant expertise, and timely disclosure of material incidents. However, we shouldn’t lose sight of the fact that lower security maturity is still the norm.
The presence of strong preventative and protective controls also doesn’t equate to zero security incidents. Many organizations have exhibited appropriate security by reasonable technical and operational measures, but they still suffered incidents and breaches with long-lasting effects. This reality is why risk management is so critical. There will inevitably be bumps in the road as organizations figure out the balancing act of disclosing relevant information to the SEC and operating effective cybersecurity programs. I’m looking forward to seeing how things play out.
This article was originally published on Medium.