The compliance deadlines for the SEC's new cyber regulations are approaching in the coming days, and CISOs have spent the past five months pondering the best ways forward for implementation, and how the rules will shape their organizations' security practices and existing structures as a whole.
The cyber rules come with a number of implications for companies, but the most significant mandate requires public companies to disclose incidents within four business days of determining that they’re material. Additionally, public companies will be asked to continuously assess the effectiveness of their security risk management practices. As part of this, companies are required to publicly disclose the level of oversight by their boards of directors, and the role and expertise of management, in assessing security risks.
The hope here is to protect investors by informing them about the security risk management processes and incidents that affect publicly traded companies. But for the CISOs of impacted organizations, the SEC’s new rules are having wide-ranging effects on internal processes relating to incident disclosure and response, vulnerability and risk management and more. The immediate impact is that it is driving conversations at the executive and board level about internal security processes, said Greg Notch, CISO of Expel.
“I think this is driving the outcome the SEC was hoping for; now you’re seeing adult conversations with executives and boards about the risks inherent in the business, and the choices that exist about them,” said Notch. “Allocation of resources is not the CISO’s call - it’s the CEO’s call, and it’s a shared decision. Buttoning up those kinds of communications among the rest of the executive leadership team is what every CISO should do - and many of them are.”
Notably, while the SEC’s cyber rules went into effect on Sept. 5, the compliance deadlines for the majority of companies are later. Companies must outline their security practices, risks, board oversight and management’s roles beginning with annual reports for fiscal years ending on or after Dec. 15, and the compliance deadline for the incident disclosure requirements is Dec. 18.
Unpacking the Language
For the most part, the language used by the SEC is not prescriptive and there are no explicit definitions for terms like cybersecurity risk management, strategy and governance, leaving organizations to define thresholds on their own.
But the biggest question mark relates to the concept of “materiality,” a term at the heart of the SEC’s four-day disclosure policy and its requirements for tracking the assessment, identification and management of cybersecurity risk.
The SEC says that “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available,’” but explicitly refrains from defining the term further.
“We acknowledge commenters who asked for additional guidance regarding the application of a materiality determination to cybersecurity or sought to replace materiality with a significance standard,” according to the text of the SEC’s rule. “As noted in the Proposing Release, however, we expect that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces. Carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice, and would not be consistent with the intent of the final rules.”
While this type of language is vague, it may give organizations wiggle room to implement a reasonable approach for their existing security programs. Merritt Baer, field CISO at Lacework, worked with 30 other CISOs across the industry to develop landscape-level frameworks for SEC materiality determinations. When looking at the concept of materiality, they took into consideration many factors, including if the incident could be considered severe, if compromised data could put companies, employees or customers at risk, or if the incident has a significant financial impact.
“The SEC deliberately left the affected entity to make the determination ‘when do I need to disclose?’ –or, more specifically, ‘what makes an incident material?’” said Baer. “The CISO will need to work with their counterparts to come up with a reasonable approach to addressing that question. Mature organizations will put a framework in place around that decision so that they can justify/defend individual decisions that could fall under scrutiny.”
The SEC’s wording has also turned internal conversations about vulnerabilities and incident response into a “what if” game as it relates to potential materiality, said Notch - and that, in turn, has forced difficult but necessary conversations between CISOs and the board about how materiality is defined, how customers are impacted and what it could mean for the company.
“Even for non-publicly traded companies, the way you’re thinking about talking about incidents in your environment, the way you’re presenting them to your board, the way you do vulnerability management, all now has to take materiality into account,” said Notch. “It causes the kind of thinking that the SEC was hoping to drive, which is, ‘hey are we casting this in the light where the external stakeholders’ point of view is represented in this conversation?’”
The Complexities of a Four-Day Disclosure Timeline
Security executives agree that the SEC’s four-day incident disclosure requirement will have resounding ramifications for public companies, both internal - altering the existing processes within organizations - and external - impacting relationships with stakeholders, customers and more.
Previously, organizations had initially disclosed security incidents only to those who are involved with incident response, containment and remediation efforts, and critics say that the timeline is too fast for companies already grappling with the impacts of a cyberattack. At the same time, security experts worry that the rushed timeline could expose a vulnerability that allowed the attack to occur in the first place, or reveal to attackers that their cover has been blown.
The rules will also have operational implications, and many CISOs believe that the collaborations surrounding incident response will need to change. As part of this, companies may need to involve the legal, business and even communications or marketing departments in earlier stages of incident response. Legal teams may now need to be tied into the disclosure determination part of the incident from the start, for instance.
Another potential layer of complexity is how the SEC’s guidelines fit into current disclosure requirements with an organization’s customers, partners and other third parties. Companies that have current contractual agreements with customers to disclose a security incident within a week may now need to rethink those terms.
“You’ll have contractual requirements for customers - those could be certain customers or across the board - and companies will need to reconcile that this is what the SEC wants and this is contractually what is in our master service agreement, but I wonder if there’s a window where you would have to thread this,” said Rick Holland, CISO at Reliaquest. “It adds complexity.”
The SEC has included a provision that may exempt companies from its stipulations, if national security or public safety are potentially threatened. According to recent clarifications from the FBI, the Department of Justice is responsible for determining these exemptions and can grant a 30-day delay for public filing (in total, the DoJ can actually grant a delay of up to 120 business days in “extraordinary circumstances”).
What Do the SEC’s Rules Mean For CISOs?
The cyber rules also will require companies to be more transparent about their practices for assessing and managing security risks, and the material impacts of both those risks and previous security incidents. Companies must disclose this information as part of the annual Form 10-K filing, where they will also be required to describe the board of directors’ oversight of risks from security threats, and management’s role and expertise in managing material risks from security threats.
The inclusion here of enterprises’ board of directors and leadership further pushes responsibility for organizational cybersecurity practices higher up the management chain. This also comes after the SEC pressed charges against Uber’s former CISO Joe Sullivan last year for covering up the company's 2014 data breach, and SolarWinds CISO Timothy Brown this year for allegedly misleading investors about the company's cybersecurity practices and known risks.
CISOs hope that the new rules create an opportunity for more collaboration with boards of directors and other executives, if the common goal of compliance is driven by decisions about how security risks could impact business. While not stipulated by the SEC, many boards of directors are creating dedicated cybersecurity committees, and CISOs hope that these types of committees will improve communication between boards and security teams, and ultimately result in increased support and resources for cybersecurity strategies.
“I hope that these new rules give CISOs a bigger seat at the table and add security expertise to boards of directors,” said Baer. “I also see room for CISOs to better translate for their board the kinds of business impacts that security decisions create– so, rather than a raw number of unpatched CVEs, talk about why your patching cadence has resulted in X percent less downtime, and what that uptime translates to in terms of productivity, dollars in the door, etc.”
Many CISOs have been proactively preparing for the requirements by working with their legal teams in order to craft descriptions of their security processes and reassess different stages of their incident response procedures. However, there is an opportunity here for organizations to go beyond mere compliance.
Karen Worstell, Carbon Black’s senior cybersecurity strategist, said companies can use the SEC’s rules as a jumping-off point to develop business-driven cybersecurity metrics and to ask an important question: “What are the outcomes that we need to strive for, and what will it take for those to be true?” The first step here is getting the right roles and responsibilities properly parsed out across the company, and then getting everyone together and understanding what constitutes reasonable security, said Worstell.
“Part of this is setting the bar of reach… saying ‘this is our bar of reasonable security and acceptable risk, and everything we do has to be higher than this bar,’” said Worstell. “That’s a level set that has to happen. Once that happens you can sit down and say, ‘what are the business objectives that I want to happen here?’”