The Delicate Balance: Reporting Cybersecurity Incidents Under New SEC Rules
The Challenge for CISOs
The new rules set by the Securities and Exchange Commission (SEC) require enterprises to report material cybersecurity incidents within four days. This puts Chief Information Security Officers (CISOs) in a difficult position, as they must determine what information to include and what to exclude. The lack of guidance and direction further complicates their decision-making process.
One of the biggest challenges for CISOs is the limited information available during the initial stages of an incident. As Merritt Maxim, a Forrester VP and research director, points out, CISOs often lack all the facts on day one. Given this uncertainty, CISOs must work closely with the security operations center to compile a memo with all incident details, which is then sent to investor relations and legal departments for review and preparation of the SEC filing.
Learning from Existing Disclosures
In order to comply with the new SEC rules, CISOs can look at existing disclosures from enterprises such as Caesars, MGM, and Clorox. While these filings vary in terms of incidents reported, they share a common focus on what is known and avoid speculations and predictions. It is important to note that these filings do not disclose details that are likely to change, ensuring the accuracy of the information provided.
Competing Obligations
CISOs face the challenge of balancing three competing objectives when reporting cybersecurity incidents:
- Report as much as you can: Legally, CISOs are obliged to share as much information as possible with investors and potential investors.
- Report as little as you can: From a cybersecurity perspective, it is important to disclose minimal information about the organization’s threat landscape and defenses, especially when the attack has not been fully contained.
- Report only what you are confident about: As initial details are often unreliable and subject to change, enterprises may wonder if they are obligated to disclose information that is initially of low reliability.
CISOs like Dirk Hodgson, CISO of NTT Australia, suggest only reporting what is known with 80-90% certainty. It is important to understand that during the early stages of an incident, comprehensive information may not be available, and details may evolve over time as the investigation progresses.
Challenges in Selecting Material Details
Douglas Brush, a special master with the US federal courts, emphasizes the challenges of selecting specific incident details that are relevant and meaningful for the investing public. Determining the impact of cyber operations on businesses remains a complex task. As Phil Neray, vice president of cyber defense strategy for Gem Security, points out, Clorox’s SEC filings effectively balance what is known with basic estimates about the duration of operations’ restoration.
Rex Booth, CISO of Sailpoint, advises keeping disclosures simple and focused on tangible and measurable impacts, such as interrupted operations and compromised systems. He suggests avoiding discussions of causation and emphasizing ongoing investigations with external entities.
The Value of Actionable Information
While it is important to disclose information, CISOs must consider whether the information provides actionable value to shareholders and potential investors. The balance between transparency and limiting information that could be used by attackers is a critical consideration. CISOs must also be aware of what details are already public, as some information may be widely available through social media or other sources.
Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte, suggests separating what happened from the organization’s remediation plans. He highlights that there is no requirement to discuss remediation during disclosures.
A Shift in Emphasis
The new SEC rules do not change the reporting requirements but emphasize the importance of timely and meaningful disclosures. The dedicated document for reporting cybersecurity incidents brings these incidents to the forefront for every board of directors, CEO, and CFO. CISOs can expect increased internal attention and scrutiny due to the higher profile of breach reporting.
Accel’s Brush recommends involving corporate counsel or outside legal advisors in disclosure discussions and decisions. This not only ensures legal advice but also protects conversations from being legally discoverable under attorney-client privilege. Having a lawyer present allows for open and frank discussions while preparing the final statement.
Editorial: Striking a Balance between Transparency and Security
The evolving landscape of cybersecurity incidents poses a significant challenge for enterprises and CISOs. The new SEC rules add pressure to strike a delicate balance between transparency and security. On one hand, investors and potential investors have the right to know about material incidents that may impact the organization. On the other hand, organizations must protect their threat landscape and prevent additional vulnerabilities.
While the new rules provide a framework for reporting, it is crucial for regulatory bodies to provide clearer guidance to CISOs. The lack of specific direction contributes to uncertainty in decision-making. Additionally, the dynamic nature of cybersecurity incidents necessitates ongoing evaluations and revisions of reporting requirements to adapt to the changing threat landscape.
Advice for CISOs
Given the challenges CISOs face in reporting cybersecurity incidents under the new SEC rules, the following advice can help navigate this delicate terrain:
- Focus on reporting what is known with reasonable certainty, avoiding speculations or predictions.
- Keep disclosed information simple, tangible, and measurable, emphasizing observed impacts rather than causation.
- Balance the value of actionable information for investors with the potential risk of divulging too much to potential attackers.
- Consult legal advisors to ensure compliance with SEC rules and protect conversations under attorney-client privilege.
- Separate incident details from remediation plans to strike a balance between transparency and security.
As cybersecurity incidents continue to increase in complexity and frequency, organizations and regulatory bodies must work collaboratively to establish clearer guidelines. This will empower CISOs to make informed decisions and strike a balance between transparency and security.
<< photo by Dan Nelson >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Standardizing Firmware Audits: OCP Launches SAFE Initiative
- Finland’s Fight Against Cyber Criminals: Psychotherapy Hacker Charged With Extortion
- Navigating the Wilderness: Unveiling the Satnav Test on a Remote Island Lab
- The Implications of EPA’s Decision to Stop Regulating Cybersecurity in Water Utilities
- Building Cyber Resilience: Fostering a Culture of Cybersecurity in Businesses
- Protecting Data While Fostering Collaboration: The New Imperatives for Modern Enterprises
- D-Link Breach: Debunking the Hacker’s Claims and Examining the True Scope
- Navigating the Legal Maze: Unveiling 4 Unexpected Aftermaths of a Cybersecurity Breach
- The Legal Fallout of a Cybersecurity Incident: 4 Surprising Developments
- Wealthy Russian with Kremlin Ties Sentenced to 9 Years for Hacking and Insider Trading Scheme: A Dive into the Dark Realms of Power and Criminality
- Cars are a ‘privacy nightmare on wheels’. Here’s how they get away with collecting and sharing your data
Title: “The Dark Side of Mobility: Unraveling the Privacy Intricacies of Car Data Collection”
- Catalyte and Google Partner to Create New Cybersecurity Apprenticeship Pathways
- Cybersecurity Chronicles: An Updated Insight into Naked Security
