The Proposed Rule for Public Companies: A Burden on CISOs and the Challenges of Materiality
The Tight Disclosure Window and Practicality
The Securities and Exchange Commission (SEC)’s proposed rule on cybersecurity disclosure, governance, and risk management for public companies, known as the Proposed Rule for Public Companies (PRPC), has faced significant pushback since its proposal in March 2022. One of the main concerns raised by experts is the requirement for companies to report “material” cybersecurity incidents within four days. This short disclosure window puts immense pressure on chief information security officers (CISOs) to disclose incidents before they have all the necessary details.
In reality, cybersecurity incidents are not isolated, one-and-done events. They are dynamic and constantly evolving, often taking weeks or even months to fully understand and remediate. Requiring CISOs to disclose material incidents within just four days can lead to premature and incomplete disclosures. Moreover, it may force CISOs to disclose vulnerabilities that, given more time, could turn out to be less significant. The short-term price of a company could be affected based on incomplete information. This burdensome timeline detracts from the ability of CISOs to focus on effectively managing and mitigating these incidents.
To illustrate the challenges posed by the four-day disclosure requirement, let’s look at the European Union’s General Data Protection Regulation (GDPR) as a point of comparison. Under GDPR, companies are required to report incidents of non-compliance within 72 hours. While 72 hours is often too soon to fully comprehend an incident’s overall impact, organizations at least have a clear understanding of whether personal information has been compromised. In contrast, under PRPC, the determination of materiality is left to the organization’s internal qualification, based on what a “reasonable shareholder would consider important.” This broad definition lacks clarity and creates uncertainty for businesses.
Weak Definitions and the Impact on Incident Reporting
The PRPC proposal also suffers from weak definitions regarding the disclosure of incidents. One concern is the requirement to report circumstances in which a security incident, while not material on its own, becomes material “in aggregate.” It is unclear how this works in practice. For example, does an unpatched vulnerability from six months ago, which was not exploited, now fall under the scope of disclosure if it contributes to a subsequent incident? The distinction between threats, vulnerabilities, and business impact is already convoluted. Adding the aggregation clause further complicates the determination of what needs to be disclosed.
Another concerning requirement in the proposal is the mandate to disclose any policy changes resulting from previous incidents. The rigor of measuring and assessing these policy changes remains ambiguous. Policies are meant to be statements of intent, not low-level forensic configuration guides. While updating lower-level documents regarding specific security measures makes sense, many higher-level documents would not typically be updated due to an incident. It raises questions about the practicality of such disclosures and their relevance in the context of quarterly earnings reports, as mandated by the proposal.
The Practicality of Quarterly Earnings Calls and Board Experience
The PRPC proposal states that quarterly earnings reports will serve as the forum for disclosure of cybersecurity incidents and policy updates. However, it seems impractical to expect CFOs or CEOs, who typically provide earnings reports, to possess the in-depth knowledge necessary for delivering critical security reports. This brings up the question of whether CISOs should join these calls, and if so, whether they will also respond to questions from financial analysts. Utilizing quarterly earnings calls for such disclosures may not be the most suitable platform, considering the technical nature of the information and the need for a specialized understanding of cybersecurity matters.
The initial iteration of the PRPC proposal required disclosures about board oversight of cybersecurity risk management policies, including individual board member expertise in cybersecurity. However, after facing scrutiny, the SEC decided to remove this requirement. Nevertheless, the proposal still calls for companies to describe the board’s process for overseeing cybersecurity risks and management’s role in handling those risks. This highlights the need for improved communication and awareness between boards and security executives.
According to a recent survey conducted by Dr. Keri Pearlson, executive director of cybersecurity at MIT Sloan, and Lucia Milică, CISO at Stanley Black & Decker, there is a clear communication gap between board members and CISOs. Only 47% of surveyed board members interact regularly with their CISOs, with almost a third of them only encountering their CISOs during board presentations. This gap in communication underscores the importance of aligning the board’s understanding of cybersecurity issues with the expertise of security executives.
Conclusion: Uncertainties and Regulatory Challenges
As with any new regulation, uncertainties and challenges arise with the PRPC proposal. The requirement to disclose material incidents within a four-day window poses significant burdens on CISOs, potentially leading to premature or incomplete disclosures. The lack of clear definitions regarding materiality and incident reporting further adds to the confusion.
The proposal’s integration of policy updates and incident disclosures into quarterly earnings reports seems impractical, raising questions about the appropriate participants and the platform’s suitability for discussing technical cybersecurity matters. Additionally, while the removal of the individual board member expertise requirement is a relief, there remains a need for improved communication and alignment between boards and security executives.
As we await further developments and potential revisions to the PRPC proposal, it is crucial for organizations to assess the impact it might have on their cybersecurity operations. Companies should consider their existing incident response capabilities, communication plans, and board-level cyber risk oversight processes to ensure compliance with future regulations while maintaining effective cybersecurity practices.
<< photo by Lesly Juarez >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Rise of Ransomware: A New Light Shines with Free Key Group Decryptor
- Industry Insights: Evaluating the Ripple Effects of Qakbot Botnet Disruption
- The Shifting Landscape of Cyber Threats: Unveiling the Modified Open Source ‘SapphireStealer’ Information Stealer
- Privacy Breached: Unveiling Cyber Attacks on Linux, Android, and Skype
- The Rise of Cybercrime Trafficking: Exploiting Southeast Asia’s Workforce
- The Accountability Debate: Senior IT Professionals and Professional Decisions
- The Cybersecurity vs. Cyber Resilience Challenge: A Wake-Up Call for C-Suite Leaders
- Hidden in Plain Sight: The Elaborate Ruse of Russian Disinformation on New York Times
- The High Price of Cyberattacks: Unveiling the Costly Consequences for Healthcare Organizations
- Critical Alert: Remote Attacks Pose Serious Threat to VMware Aria Operations Networks
