New rules for publicly traded companies went into effect Sept. 5, with the Securities and Exchange Commission requiring businesses to begin regularly reporting on their cybersecurity risk management strategies, board-level cybersecurity governance and oversight and, of course, reporting rules for material cyber incidents.
While the incident reporting portion won’t go into effect right away — they go live Dec. 18 for larger public companies and 180 days after that for smaller businesses — businesses are already scrambling to parse out how the new rules may affect their approach to cybersecurity.
There are exceptions for national security reasons, but most businesses should expect to file a notice to the SEC within four days of determining that an hack or security incident is “material” in nature.
Harley Geiger, a cybersecurity policy lawyer at Venable and noted skeptic of the new rules, thinks companies should be ready for the possibility that will need to report a hack to the government while still investigating fundamental aspects of the breach.
“Because of the required timeline for disclosure, companies should be prepared to perform these assessments and disclosures even if the cybersecurity incident is ongoing,” Geiger wrote Tuesday. Public companies' security, legal, and corporate communication teams should collaborate to adjust cyber incident response plans and financial reporting processes to accommodate these obligations.”
'Materiality' and disclosing breaches
On the disclosure front, one of the biggest questions businesses have had centers around “materiality,” or how the SEC will define a covered incident.
The SEC broadly defines materiality as something that could influence the decision-making of a potential investor. Interpretive guidance developed by the agency around the term defines it as information “such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item.”
That means that any incident at a public company that could reasonably result in a lawsuit or regulatory inquiry, impact vendor or customer relationships, or otherwise harm a company’s reputation or competitiveness, could be covered under the requirements.
George Gerchow, a faculty member of IANS research, and chief security officer and senior vice president of IT at Sumo Logic, fretted that “there are still way too many unknowns at this time” around the question of materiality.
“We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous. Furthermore, there is very little guidance on how companies should handle third-party attacks. Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident. So, how are companies going to pull in third-parties and their team to handle an incident within such a short timeframe?” he asked.
The final regulation issued by the SEC describes the term as security incidents that have “materially affected or are reasonably likely to materially affect [a company’s] business strategy, results of operations, or financial condition.” Companies must file annual disclosures, as well as a form 8-K document, with the agency for specific security incidents that detail the nature, scope, timing and impact incident on their business operations or customers.
Crucially, Geiger noted that unlike many other incident reporting rules, hacks reported under the new SEC regulations will be made open to the public through EDGAR, the agency’s reporting system for publicly traded companies.
“This may put companies in the position of publicly disclosing significant cyber incidents before the incident has been contained or mitigated, which may complicate companies' recovery efforts and coordination with other federal agencies,” he noted.
Risk management and cybersecurity roles on boards
Other SEC measures going into effect Tuesday include a requirement for companies to describe their cybersecurity risk management strategies and how it practically integrates into the company’s larger business operations, as well as a separate requirement to detail the role that boards of directors and management play in overseeing cyber risk and what kind of background experience top executives have in cybersecurity.
That could mean that cybersecurity qualifications could become a bigger factor when hiring C-Suite and other executive positions as businesses attempt to comply. It could also mean that some businesses will look to play up or inflate the cybersecurity backgrounds of the candidates they do hire, as one expert remarked to SC Media recently.
It could also lead to mixed messages about how a business’ cybersecurity program works in practice — the way it’s carried out by practitioner staff — and the way it’s described by executives who are further removed from the ground level reality.
“A general divide exists between the development of security policies and controls by management and security teams and the actual implementation of the policies and controls by data engineering and DevOps teams,” said Ben Herzberg, chief scientist of data security at Satori. “Teams on either side of development and implementation have their own priorities and objectives.”