Navigating the Murky Waters: Unraveling SEC’s Ambiguous Cybersecurity Material Rule

Navigating the Murky Waters of Cybersecurity Disclosure Rules

The Aims of the New Cybersecurity Disclosure Rules

One of the primary aims of the new cybersecurity disclosure rules approved by the Securities Exchange Commission (SEC) last month is to provide investors with better information about the cybersecurity risks associated with public companies. Another objective is to encourage public companies to enhance their cybersecurity and risk posture. However, the devil lies in the details of these rules, as concerns arise over which incidents to report and what information is required in the disclosure.

The Difficulty of Determining Material Incidents

A crucial requirement of the new rules is for enterprises to establish a mechanism to determine when a security incident is material. The SEC considers an incident material if it can have a significant impact on the company’s financial position, operation, or relationship with its customers. However, determining whether an incident is material can be more complex than organizations are prepared for.

Senior managers often face bureaucratic and logistical challenges in creating a committee to regularly make determinations. Moreover, security incidents evolve over time, making it difficult to arrive at a prompt decision based on incomplete and potentially flawed preliminary data. Corporate executives find themselves in a no-win situation—either risking reporting an incident as material when it is not, or waiting for forensic analysis and examination of backup files, potentially leading to accusations of untimely disclosure.

The Challenge of the Four-Day Disclosure Timetable

The SEC‘s requirement for a four-day disclosure timetable, which starts counting down once a company determines an incident is material, poses yet another challenge. Preparing an SEC filing requires Security Operations Center (SOC) staff to compile specific incident details, which then undergo drafting and review by legal and investor relations teams. CFOs, CEOs, and even board members may need to review and approve the filing. Under ideal circumstances, this process may exceed the four-day limit.

Corporate Leadership’s Role in Defining Material Incidents

Corporate leadership plays a crucial role in determining what constitutes a material incident. Factors such as the organization’s industry, geographic scope, operations, and potential attackers or attacks must be considered. For instance, a military subcontractor working on weapons systems might consider a breach of product blueprints material, while an agricultural company may not.

In addition, definitions of security incidents vary among security professionals, lawyers, and government agencies. The SEC seeks disclosure of all security incidents, including Distributed Denial-of-Service (DDoS) attacks, which may not meet the definition of a data breach. The lack of alignment among experts and varying definitions add further complexity to complying with the rules.

The Exemption of Key Information in Disclosure

Notably, the SEC has carved out an exemption concerning specific technical information and details about a company’s planned response, cybersecurity systems, related networks and devices, or potential vulnerabilities. While this exemption may be necessary for the investigation and preventing information from falling into the wrong hands, it may also result in vague and uninformative disclosures.

Companies may opt to provide minimal information to avoid hindering investigations or revealing potential weaknesses. However, this approach could result in disclosures that lack valuable and meaningful information for investors and potential investors. Vague and speculative comments, known as “pablum disclosures,” fail to provide useful insights and ultimately prove worthless.

Challenges in Identifying Material Incidents

The massive number of security incidents occurring each week presents a logistical problem for companies. Determining which incidents are potentially material requires careful filtering and assessing vulnerabilities. This task may fall to someone in the company’s SOC, typically a SOC manager. However, if the SOC makes the final determination, it could undermine the purpose of establishing a committee to make strategic business decisions about material incidents.

The responsibility falls on the management committee to provide clear guidance to the SOC and other relevant parties. The committee should define what is considered material and communicate their expectations to the CISO and SOC team. In a cyber and AI-driven environment, the risks extend beyond data breaches, encompassing availability, confidentiality, integrity, supply chain, and liability.

Editorial: Striking a Balance in Cybersecurity Disclosure

The SEC‘s new cybersecurity disclosure rules aim to provide investors with valuable insights into the cybersecurity risks faced by public companies. However, while the intent is commendable, the rules must strike a delicate balance to avoid unintended consequences.

On the one hand, the rules must ensure transparency and accountability by requiring timely disclosure of material incidents. Investors have the right to know about cybersecurity risks that can impact a company’s financial position or operations. Prompt disclosure helps prevent potential losses and allows investors to make informed decisions.

On the other hand, the rules should provide organizations with enough flexibility to protect sensitive information during investigations and maintain their competitive advantage. Disclosing too many details risks hindering investigations, exposing vulnerabilities, and potentially providing ammunition to adversaries. Companies should not be forced to provide excessive information that can be exploited by attackers or used against them.

Therefore, regulators should carefully review the specific requirements for disclosures, considering the nuances of cybersecurity incidents and the potential impact on investigations and remediation efforts. Striking the right balance ensures that investors receive meaningful and actionable information while safeguarding companies’ ability to effectively respond to and mitigate cyber threats.

Advice: Navigating the Complexities of Cybersecurity Disclosures

Given the complexities surrounding cybersecurity disclosure rules, companies need to approach compliance with a well-defined and thoughtful strategy. Here are some key considerations:

1. Establish an interdisciplinary committee: Create a management committee comprising representatives from finance, legal, cybersecurity, risk, compliance, and other relevant departments. This committee should work together to define what constitutes a material incident and provide clear guidance to the organization.

2. Engage legal expertise: Collaborate closely with legal teams to understand the specific disclosure requirements and ensure compliance while protecting sensitive information. Legal professionals should review disclosures to strike a balance between transparency and safeguarding investigations.

3. Implement a robust incident management process: Develop a robust incident management process that includes initial assessment, incident classification, and prioritization. This process should ensure that potentially material incidents are promptly reviewed by the management committee while filtering out less significant events.

4. Conduct thorough analysis: Invest in forensic analysis capabilities to gather accurate and complete data on security incidents. Avoid rushing into determinations based on preliminary information. Conduct comprehensive investigations before making materiality decisions.

5. Educate executives and board members: Provide cybersecurity education to executive leadership and board members to help them understand the complexities of security incidents. This knowledge will enable them to effectively guide the committee’s decision-making process and provide the necessary information for meaningful disclosures.

Navigating the new cybersecurity disclosure rules can be challenging, but with careful planning, collaboration, and a deep understanding of the organization’s specific risks, companies can strike the right balance between transparency and protection.