Weeks after the Securities and Exchange Commission adopted new cybersecurity disclosure rules, publicly traded companies across the U.S. and abroad are reassessing internal security practices and governance to prepare for heightened levels of accountability.
Following a combative open hearing, the SEC voted 3-2 for new rules that require companies to disclose material cyber incidents to the agency. Companies will have four business days to report the incident to the SEC once they determine it is material to the business.
The rules, which will go into effect Sept. 5, are designed to ensure investors and other members of the public are informed about these events in a much more timely and consistent manner.
SEC Chair Gary Gensler said if a company lost a factory in a fire that would be considered material to the business, and the loss of millions of files to a cyberattack needs to be treated with the same level of materiality.
“Whether it’s a material factory [incident] or a material cybersecurity incident, it may be important to those investment decisions that we oversee the disclosure for,” Gensler said during the July 26 open meeting.
Over many years, the agency’s disclosure requirements have “evolved to meet investors needs in changing times,” he said.
The SEC made numerous accommodations following concerns about national security and the release of proprietary information. The final rule still incorporates a strict schedule designed to provide timely information to investors regarding the security of corporate data and the potential loss of customer information.
“Generally, businesses should be excited about changes to the rules as the SEC tried to streamline compliance in a lot of areas,” said Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC US. “However, the requirement that incidents be disclosed within four business days will be a heavy lift for companies.”
The push for regulatory change emerged after federal officials raised concerns about the lack of incident transparency in the wake of the Sunburst malware attack on SolarWinds, a publicly traded provider of IT monitoring software, in 2020, and the ransomware attack against Colonial Pipeline, a closely held fuel supplier, in 2021.
A 2022 report released by Sen. Gary Peters, D-Mich., showed upwards of 75% of ransomware attacks went unreported, while the SEC and other regulators found that companies often failed to make timely disclosures about material breaches and attacks.
Gartner, in a report released in September 2022, noted that public companies filed less than 43% of their disclosed breaches to the SEC in 2021.
Companies took an average of 79.8 days to report the incident to the regulatory agency, which was up from an average of 60.6 days in 2020, Gartner found.
But companies should not expect to be able to maintain such an inconsistent and irregular pattern of reporting if they want to maintain investor confidence, Gartner said. Instead, organizations should conduct internal audits of incident response plans and cybersecurity controls to determine whether they can quickly respond to an attack or breach.
Taking security to the board
Many companies will have to reassess their existing relationships between security operations teams, the C-suite and the board of directors under the new rule.
CISOs will need to have more direct and frequent communications with the upper echelons of their companies to make sure the board and investor relations arms are fully aware of ongoing cyber risk.
“Operational rigor to determine material impact and streamlining incident response will be brutal and expensive for many public companies,” George Gerchow, CSO and SVP of IT at Sumo Logic and a faculty member at IANS, said via email.
The rapid proliferation of malicious threat activity means that companies must be ready to respond to these threats at all levels beyond just the security operations team.
“The new SEC rules add additional considerations to an already complex response process and companies must get better and faster at making non-technical decisions during a cyber event,” Jennifer Burnside, Mandiant’s cyber crisis communications practice leader, said via email.
CISOs will need to update their organization’s incident response plans in order to factor in the new guidelines, according to William Candrick, director analyst at Gartner.
“In particular, cybersecurity professionals must work with their internal and external legal functions to establish escalation paths and collaborative processes to evaluate if and when cyber incidents become material and thus reportable,” Candrick said via email. “Navigating the SEC’s new guidance will become a cross functional team sport across cybersecurity, legal, investor relations and business leadership among others.”
Beyond prompt incident reporting, the new SEC rules call for annual reporting on cybersecurity oversight at the management and board level. Companies will need to disclose internal processes for assessing cybersecurity risks and provide information on how they are assessing material risks.
The SEC rules come as the investment community has taken a greater interest in enterprise cybersecurity. The investment community is holding upper management accountable not only for their responses to cyber incidents, but their preparation and oversight of cyber risk.
“Investors expect that the CEO and their security team — CISO, CIO, CFO, [general counsel] – to own responsibility for a cyber incident,” Lisa Donnan, a partner at private equity firm Option3, said via email. “Investors want to know, just like the SEC, whether the company engaged consultants or third parties in connection with their cybersecurity risk assessment program.”
Even before the implementation of these new rules, the SEC is holding companies accountable for weak oversight or misleading investors about existing cyber risks.
The SEC in March reached a $3 million settlement with software firm Blackbaud for making misleading disclosures about the scope of a 2020 ransomware investigation.
In late June the SEC notified SolarWinds’ CFO and CISO of possible civil enforcement action for alleged securities violations regarding the company’s internal cybersecurity controls and disclosure.
SolarWinds has actively worked with federal authorities to share information with the industry and cooperated in the previously announced investigation, while vehemently denying any improper actions.
“SolarWinds strongly supports transparent information sharing and robust public-private partnerships to combat increasingly sophisticated cyberthreats and enhance the security of the entire software industry,” a spokesperson for the company told Cybersecurity Dive via email. “That is why we promptly, continuously and openly communicated with customers and the marketplace about the Sunburst incident.”
One of the highest risk areas for CISOs is now the issue of personal liability, particularly in light of the conviction of the former Uber CSO for covering up a ransomware payoff and the aforementioned SEC civil probe into the actions of the SolarWinds CFO and CISO, who was VP of security at the time of the attack.
A May report from Proofpoint shows more than 60% of CISOs fear personal liability related to cyber incidents and corporate governance issues. A similar number said they would not join an organization without some type of directors & officers liability coverage.
“There is growing concern that the SEC cybersecurity reporting rules will expose CISOs to personal liability,” Candrick said. “As a result, some CISOs are already discussing being added to directors and officers insurance – especially if the CISO is named in any financial reporting or is required to formally validate any cybersecurity statements made in financial reports.”
Companies that are prepared are updating incident response plans, conducting tabletop exercises, as well as compromise and red team assessments to understand how best to respond to cyber intrusions.
Companies need to create alignment between their CISO, board of directors and executive leadership team, according to Rocco Grillo, managing director and head of global cyber risk at Alvarez & Marsal.
“These organizations aren’t just doing this because of a regulatory requirement, it is also because their approach to enterprise risk management and safeguarding of their critical assets is of paramount importance,” Grillo said via email.
Many companies are not prepared to take on the responsibilities of rapidly responding to cyberattacks in order to determine whether they are material to their business operations, according to Gerchow.
A number of companies are embracing the new SEC rules as a way to enforce rigor in how they maintain network security and prepare for incident response.
“On any given day we can predict the likelihood of natural disasters impacting critical infrastructures,” Megan Samford, VP product security and chief product security officer of energy management at Schneider Electric, said via email. “We need to get to a place where we have similar predictability and risk analysis for cyber incidents.”
Industry pushback
Several key industry groups remain opposed to the new regulations, with some hinting at potential legal challenges down the road.
The Bank Policy Institute said the SEC rule will harm the very investors the agency is trying to protect. The bank advocacy organization is concerned the rule will provide sensitive information to malicious actors that would put companies in further danger of attack.
The U.S. Chamber of Commerce said the new rule violated earlier mandates agreed upon in the Cyber Incident Reporting for Critical Infrastructure Act, which allowed companies to confidentially report cyber incidents to federal authorities in order to help prevent future attacks against other critical industry providers.
The Chamber of Commerce has “grave” concerns about the new SEC rules, said Christopher Roberti, SVP for cyber, space and national security security policy.“The Chamber will continue to carefully evaluate the impact of this rule and our options going forward,” Roberti said in the July 27 statement.
The business organization sent a letter earlier this week to Gensler asking for a 12-month delay in implementation of the rule and further industry dialogue.
SEC officials declined to comment for this story.