SEC Breach Disclosure Rule Makes CISOs Assess Damage SoonerRule Would Force Firms to Disclose 'Material Cybersecurity Incidents' in 4 Days
A proposed rule requiring publicly traded companies to disclose a breach within four days of deeming it material will force CISOs to determine the consequences of cyberattacks sooner.
CISOs today are initially most focused on the impact to corporate data and systems when they first learn about a breach, Davis Wright Tremaine partner Michael Borgia tells Information Security Media Group. Going forward, CISOs will need to have board-level conversations within a day or two of discovering a breach to determine whether or not the incident is material so that the company can adhere to disclosure rules (see: US SEC Proposes 48-Hour Incident Reporting Requirement).
"The four-day requirement is much faster than most companies would likely report today," Borgia says. "That's really going to affect the conversations that are happening upfront when a security incident initially gets reported. Typically now, companies want to wait before deciding what the consequences might be of a security disclosure, and that conversation is going to have to happen a lot sooner."
The U.S. Securities and Exchange Commission last month proposed new rules designed to increase transparency around security incident reporting, including a mandate that publicly traded companies disclose a "material cybersecurity incident" within four business days of discovery. The comment period on the SEC's proposed rule changes ends May 8.
The SEC proposal is being celebrated by some CISOs. Equifax's Jamil Farshchi calls it "too good to be true" and says on LinkedIn that it will give CISOs "a permanent seat at the table." Farshchi's post says the new mandates will make cyber risk and strategy a standard board-level topic and turn enterprise security investment into strategic priority. Farshchi wasn't immediately available for comment to ISMG.
"This is big. In fact, I've never seen a regulation that could do more to change security culture," Farshchi writes on LinkedIn. "This SEC proposal requires transparency and accountability at the highest levels of corporate leadership. The changes are both practical and monumental."
What Is Considered Material?
The central question facing CISOs who've experienced a security incident will be around how materiality is determined. The easiest way to assess whether an incident is material is by looking at the impact to sales as a percentage of the company's overall revenue or by tracking how many days a company's systems or operations are down as the result of a ransomware attack, Borgia says.
But the SEC has pressured companies to consider qualitative factors such as reputation and the centrality of a breach to the business, he says. For instance, Pearson paid the SEC $1 million to settle charges that it misled investors about a breach involving millions of student records. Though the breach might not have been financially material, he says it put into doubt Pearson's ability to keep student data safe.
The impact of the proposed rule will largely come down it how much leeway the SEC provides breach victims in determining whether an incident is material. If the SEC goes after businesses for initially classifying an incident as immaterial and then changing their minds weeks or months later when new facts emerge, he says, companies will start putting out vague and generic disclosures that aren't helpful.
"In the fog of these incidents, it's not easy to determine what's material," Borgia says. "You look back and you say, 'Oh well, we did know this on day one,' but so many things are happening because so many facts are coming in at once. It is much, much harder in the heat of the moment to be processing these things in real time and understanding what everything means for you and your legal obligations."
Don't Tip Your Hand
Venable Senior Director of Cybersecurity Services Grant Schneider questioned how much companies will be required to disclose or report when dealing with incidents that involves an unmitigated vulnerability. While the SEC wouldn't want companies to shirk their reporting responsibilities by leaving a vulnerability unmitigated, Schneider, who is an ISMG contributor, says any disclosure must be vague enough to not tip adversaries off to the issue.
"I think there's a balance," he tells ISMG. "We need to make sure that the things being reported are vague enough that you're not highlighting, 'Hey, this is a brand-new vulnerability' much like Log4j that got disclosed before it had been mitigated and there were lots of problems."
Outside of breach notification, the SEC proposal would also require publicly traded companies to disclose information on their security programs and approach to risk management, which Schneider thinks might ultimately have a bigger impact. Schneider says the proposal could pressure companies with lax security spending to increase their investments and drive companies to adopt new measures.
"There should be more transparency around the cybersecurity practices of companies, both for the consumers of those company's goods and services as well as, of course, their investors," he says.
Schneider says he hopes the enhanced reporting requirements would prompt publicly traded companies to adopt phishing-resistant multifactor authentication in as many areas of their business as possible as well as good patch management and update practices. Most breaches involve exploiting a known issue that customers haven't yet patched, and he says he would like to see companies be more proactive in this area.
"The potential consequences of a cybersecurity incident at a company can be catastrophic from a lack of public trust and confidence to the direct material impact of an incident," Schneider says. "This is going to give investors a little more insight into an area of risk that has been pretty opaque."