Cybersecurity breaches are becoming more frequent and more impactful. Adversaries continue to grow stronger, and defenders aren’t always keeping pace. Add in the increasing number of nation-state actors in the threat landscape, and it’s hardly surprising that governments are starting to take a greater role in regulating security.
On July 26th, 2023, the U.S. Securities and Exchange Commission issued new regulations on cybersecurity risk management, strategy, governance, and incident disclosure, leaving many companies concerned about how to ensure compliance with these new rules, and what changes they may need to make to get up to speed.
Sysdig’s CEO Suresh Vasudevan hosted a panel of experts, including Kevin Mandia from Mandiant, Sherrese Smith from Paul Hastings, Enrique Salem from Bain Capital Ventures, and Scott Jones from Morgan Franklin Consulting, to explore incident response through the lens of the new SEC rules and what the stakes are for public company boards, CEOs, and CFOs.
Read on to see the panelists’ thoughts on key questions surrounding the new regulations, or watch the full panel now.
What are the new cybersecurity disclosure rules?
The SEC’s new rules can be summarized in two parts. First, they standardize the process of disclosing a cybersecurity incident. When a company has a cyber incident that’s determined to be material, the company must now disclose that incident with an 8-K filing (or 6-K for foreign businesses) within four days. This disclosure should include the nature of the event, scope, timing, and projected impact.
Second, under the new mandate companies must make additional disclosures in their annual 10-K report (20-F for foreign companies). Organizations must now disclose how they assess, identify, and manage cybersecurity risk, as well as what their process is for evaluating security incidents.
While companies have already been reporting major cybersecurity incidents, there was previously a great deal of inconsistency around how individual organizations reported incidents, what they reported and when, and whether shareholders were actually getting the information they needed. So this new mandate is not intended to be a fundamental change. Its core purpose is to establish consistent, transparent standards around the disclosures businesses should already be making. (But note that the requirement to disclose in an 8-K is new, and this means the time to report is much quicker: just four business days.)
In our expert panel, Kevin Mandia comments that when he had to apply the SEC’s new mandate to a breach at his own company, “It didn’t change anything.” Mandia was able to follow the same processes as always, but with additional clarity on what reporting was expected, and within what time frame.
That being said, it’s important to understand that the SEC will now be putting a great deal of scrutiny on cybersecurity practices, and will be holding companies accountable for failing to meet their standards. For illustration, look no further than SolarWinds, who suffered an infamously massive breach in 2020. The SEC is now suing SolarWinds and its CISO, alleging that by having poor cybersecurity practices that were not well disclosed to the public, and by giving false information about the state of their security, SolarWinds committed fraud against its customers and investors.
No one wants their company to wind up in court against the government. So even if your company already has systems in place for disclosing cybersecurity incidents, you’ll want to make sure you understand the specifics of the SEC’s new mandate.
What counts as a material breach?
One question CISOs will have to grapple with is how to decide whether an incident is material or not. CISOs and security leaders will need to establish and implement processes and controls that allow them to properly escalate and report on potentially material incidents, but the CISO will need to rely on those closest to financial disclosures to determine materiality. Our panelists were in agreement here: CISOs should outsource that decision whenever they can. Whether or not an incident is material can depend on the industry, the customers, and the specific company, and companies need to evaluate both quantitative and qualitative factors. Trying to navigate these differing standards while assessing the total impact of an incident to systems, data, customers, and the overall business is likely outside most CISOs’ area of expertise.
“Just answer the questions that the lawyers ask you, quite frankly, and they’ll let you know when you’ve crossed the threshold where the right thing to do is start that four day ticker”Kevin Mendia, Co-Founder & Strategic Partner, Ballistic Ventures
What processes should you have for incident response?
In some cases, companies may want to disclose an incident regardless of whether or not it was material. As an example, our panelists discussed the leak of Symantec’s pcAnywhere source code. In 2009, hackers informed Symantec they’d had the source code for three years, and then threatened to release the code (which they eventually did leak in 2012).
Given that there hadn’t appeared to be any impact on the systems or revenue in the previous three years, Symantec could certainly have argued that this threat wasn’t a material incident. But there was still the risk that a vulnerability would be found in the source code if it was released, which would put Symantec’s customers at risk.
This was what led Symantec to publicly disclose the threat — because they had an obligation to inform their customers, and once customers knew, it was only a matter of time before the information became public. “You might as well get ahead of it,” explains panelist Sherrese Smith.
What changes do companies need to make going forward?
For many companies, the new SEC regulations may not change how they respond to a security incident as dramatically as they feared. Still, no company wants to run afoul of the new rules; the SEC suit against SolarWinds and specifically their CISO was unprecedented, and sent shockwaves through the cybersecurity profession. This means some change will likely need to happen in governance, investments and processes.
Naturally, companies need to make sure they’re investing enough in security against the most common types of breaches. In the cloud, this means mining for tokens to access a control plane. On-premises, exploitation of vulnerabilities is the most prevalent type of breach.
Companies also need to invest in the necessary tools to understand what their systems are doing, where data and IP are stored, and how to shut systems off if need be. To get the budget and tools they need, CISOs will want to ensure they can explain to management and the board the highest priorities for security, and the potential impact of a breach in a crucial system.
As mentioned above, many organizations will also need clearer processes in place for escalating a security incident beyond the CISO or security team. In general, it’s better to over-communicate than wait too long to get the right people involved. As panelist Enrique Salem puts it, “My advice to any security professional would be, once you know something is happening, don’t just keep it to you and your security team.” Well-defined processes will help ensure everyone knows what they need to know, when they need to know it.
Why should you practice your incident response process?
No matter how well-defined your process is, you also need to practice running through it. Just like with a fire drill, you don’t want the first time you use your emergency procedures to be in an actual emergency. By practicing, your organization can get used to the processes you intend to use, find and revise the portions that don’t work, and ensure readiness in the event of an actual security breach.
These dry runs will also help ensure you include all the right people in your incident response process. This includes people you’ll want to escalate to more quickly, and people who were left out that you’ll want to include in future.
What are the most important points to remember?
All of this is a lot of information and advice to keep in mind, so here’s a quick rundown of the most important points:
- Under the SEC’s new regulations, companies must disclose any material cyber incident within four days. This puts a new spotlight on cybersecurity, governance, and risk management in organizations, and promotes timely accountability in publicly traded companies.
- Disclosures must be made within four days.
- CISOs will need to carefully assess when and how to disclose incidents, the totality of an incident’s impact, and whether or not an incident should be considered material. Working closely with finance and legal and other members of the disclosure committee is key.
- Companies need to make sure they know what systems and data they have, and which are most critical to the business (or could destroy the business if exposed or taken).
- Companies will also need clear and well-documented controls and processes on how and when to escalate beyond the CISO and security team. In general, it’s better to over-communicate and involve people sooner rather than later.
- To ensure readiness, organizations should hold dry runs to practice their incident response process and conduct post-mortems to course-correct.
Remember: Your organization likely already has a great deal of what you need in place. The SEC’s new mandate doesn’t change the need to respond to and disclose cybersecurity breaches — it just gives a clearer rubric for how and when to respond, and what to disclose, and a reminder that cybersecurity is only growing more important for any modern business.
Want to learn more?