Navigating Security: Unraveling the SEC Reporting Obligations for CISOs

The Complexities of Determining Material Security Incidents: Navigating Reporting Obligations for CISOs

Introduction

The recent announcement by the Securities and Exchange Commission (SEC) regarding the reporting of material security incidents has raised several important questions for Chief Information Security Officers (CISOs). The SEC’s new rule calls for the disclosure of any cybersecurity threats or incidents within four days of determination, expanding the scope beyond traditional data breaches. However, determining what constitutes a material security incident can be a thorny issue, particularly when it comes to assessing security vulnerabilities. Furthermore, the focus should be on the outcome of a breach that exploits the vulnerability and not merely the vulnerability itself. This article delves into the complexities of this new SEC rule and explores the challenges CISOs face in navigating reporting obligations.

The Definition of Material Security Incidents

According to the final text of the SEC rule, a cybersecurity threat is “any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” However, the focus is on the process rather than an individual vulnerability. This leaves room for interpretation when determining whether security vulnerabilities should be reported under the new SEC rule.

Considering the Outcome

When assessing the materiality of a security vulnerability, it is crucial to consider the potential outcome of a breach that exploits that vulnerability. Andy Ellis, operating partner at YL Ventures and former CISO at Akamai, highlights the importance of evaluating the potential impact of a breach rather than solely focusing on the attributes of the vulnerability itself. If a breach utilizing a specific vulnerability could have disastrous consequences, it should be deemed material and reported accordingly. This approach places emphasis on the company’s risk management process and procedures rather than the vulnerability itself.

Risk Management Metrics

Ellis argues that the SEC missed an opportunity to promote transparency in risk management by not requiring companies to disclose risk management metrics. He suggests that companies should disclose metrics such as the number of security vulnerabilities patched and the methods used to detect and reduce risks. These metrics would provide a clearer understanding of the company’s commitment to risk management and its ability to effectively address security vulnerabilities.

Disclosure and Fixes: A Reasonable Timeline

CISOs face challenges in disclosing security vulnerabilities promptly while also ensuring effective mitigation measures are in place. Nick Vigier, former CISO at Talend, notes that vulnerabilities exist across all systems, and it is impossible to address every potential issue comprehensively. Some security vulnerabilities may be extraordinarily unlikely to be exploited.

The Difficulty of Remediation

Justin Greis, a McKinsey partner specializing in cybersecurity, highlights the complexity of remediation efforts. He argues that the actual remediation process can often be challenging, especially when it requires manual patching or coordination with cloud vendors. In some cases, large-scale fixes may take considerable time and effort. A policy should be in place to determine the timeline for addressing critical security flaws, high-vulnerability issues, and low-severity vulnerabilities.

Cybersecurity Hygiene and Cloud Environments

Greis emphasizes the importance of robust cybersecurity hygiene and timely vulnerability patching. When vulnerabilities are left unaddressed for extended periods, they become potential problems waiting to happen. CISOs need to establish policies outlining the prompt resolution of security vulnerabilities.

The complexities are compounded in cloud environments where reliance on cloud vendors for remediation adds another layer of complexity. Andy Ellis shares his experience at Akamai, where vulnerabilities took years to resolve because all customers had to deploy the fix before it could be fully implemented. This delay can put additional strain on CISOs, who may face challenges in resolving vulnerabilities promptly due to such dependencies.

Risk-Based Assessment and Mitigation

CISOs must consider risk-based processes when handling vulnerabilities. Mark Rasch, a cybersecurity enforcement attorney, highlights that companies are not expected to have zero risk. Instead, the nature of the vulnerability and its potential for exploitation should be evaluated. Factors such as the likelihood of exploits, the skill sets required to exploit the vulnerability, the availability of compensating controls, costs (including financial, business, and process interruptions), and the estimated cost of mitigation should all be taken into consideration.

Conclusion

The SEC’s new rule requires CISOs to navigate the complexities of determining material security incidents. While vulnerabilities themselves may not need to be reported unless they can be exploited to cause significant harm, it is crucial for CISOs to focus on their company’s risk management process, transparency, and ability to address vulnerabilities effectively. Clear policies outlining timelines for vulnerability resolution, considering both cybersecurity and business needs, can aid CISOs in meeting reporting obligations. The challenges posed by cloud environments and the potential delays in remediation require careful coordination and communication with cloud vendors. Ultimately, a risk-based approach that evaluates the likelihood and potential impact of breaches resulting from vulnerabilities will enable CISOs to effectively manage and report material security incidents.