Cybersecurity professionals have various views on last week's news from the United States Securities and Exchange Commission (SEC) when it surprised the InfoSec community and the C-suites of corporate America. The regulatory agency announced last week that it moved up its adoption of rules from October to effective immediately requiring companies to disclose material cybersecurity incidents to investors.
Here's the SecureWorld News article on the announcement from last week, and key quote from an SEC press release on the matter:
"Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors," said SEC Chair Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
We asked for comments from cybersecurity experts in the SecureWorld network, and here's what they had to say.
Sam Masiello, CISO, The Anschutz Corporation:
"I would expect that many CISOs today are feeling as if their job just got harder and now has a brighter spotlight shining specifically on them. Without requiring the disclosure of cyber expertise in the board room, CISOs who do not feel that they have an advocate today at that level are likely feeling as if they are being put into a more difficult position than they were already in.
While this can be viewed from a number of different perspectives, I'll take a moment to focus on a potentially positive aspect of the new rules. If you are a CISO today who is not getting face time with the board, look at this as an opportunity to continue to press for the need to discuss the current state and cyber risks currently being faced by the company. It is still very important that the board be aware of cyber risks that could materially effect the business and the CISO should be the one who can most thoroughly explain the likelihood and impact of those risks, if realized.
There are also opportunities for increased partnership with the business to define materiality and how a cybersecurity incident fits into that definition for their particular organization as that will also have an impact on disclosure requirements."
Dd Budiharto, CISO, Board Member; Founder of Cyber Point Advisory, a vCISO firm:
Here's the Good, the Bad, and the Other from the SEC's latest ruling.
The Good:
- This is a step toward the SEC being the equalizer of the imbalance in the cybersecurity ecosystem where cybersecurity is often treated as an IT issue, the government has little understanding from the operational level (hence unrealistic and impractical requirements), and the OEM not being held accountable for pushing vulnerable products to the market.
- Management is required to connect the dots of cybersecurity impacts on the business.
- Maybe the CISO reporting structure will be elevated to be alongside the business versus being buried under the CIO organization (conflict of interest) or several layers down.
The Bad:
- The equalizing period will take a while (ahem… look at how long it took to get to where we are), but it's a start.
- Many CISOs are already burnt out, and there is shortage of qualified CISOs globally. CISOs are expected to be a unicorn already. This ruling may push them over the edge if they don't receive the support they desperately need. Support comes in various forms: elevated reporting structure, adequate budget and team, not calling them on their time off, not treating it as an IT issue, etc.
- This ruling is not supportive of SMBs (small and medium businesses). Large businesses will require them to follow the ruling, but they do not have the capital to implement it. Lawmakers need to come up with ways to support them.
The Other:
- This ruling won't move the needle for some organizations who believe that cyberattacks won't happen to them.
- This ruling still has a gap in addressing the cybersecurity talent shortage. The parties involved are wide and deep, from higher education to HR's way of recruiting and to technology used to scan candidates, and many more aspects in between. After all, a CISO can't do it all.
- What about providing D&O (directors and officers liability) insurance to CISOs? That's not addressed either."
Tom Brennan, Executive Director of Americas Region for CREST, comes at the news from the CIO perspective:
"As a result of the SEC's final rules and the challenges faced by CIOs in advocating for stronger cybersecurity governance, a CIO needs to:
- Collaborate with the CISO/IT team and business management teams: Work closely with the CISO/IT and management teams to ensure a better understanding of cybersecurity risks and incidents and provide the necessary information for disclosure requirements. For sanity, manage to a written information security policy.
- Map current state and future state: Create and implement a robust cybersecurity strategy that aligns with the new SEC rules and emphasizes the value and impact of cybersecurity on investor interests.
- Engage with board members: Engage with board members to educate them about the cybersecurity requirements, risks, and the importance of having cyber expertise in the boardroom as an expert.
The best way to accomplish this goal is to perform a tabletop exercise (TTX) with a third-party organization and look at the results through the results lens of a regulatory body working with outside general counsel. I recommend the TTX exercise or 'game' be created using the Center for Internet Security v8 control objectives and free templates. (CREST provides accreditation of vendors.)
If the CEO, COO, or executive team does not care, then it's time for the CIO to move on to another organization that does; time is short and the most important asset in the life."
Al Lindseth, Principal, CI5O Advisory Services; Former SVP, Technology, Process and Risk Management, Plains All American Pipeline:
"In my opinion, the audible around disclosure, specifically of the board's cybersecurity expertise, only increases the need for connection between management and the board on cyber. There was some risk in requiring a board level cyber expert, either because that might not be as effective or achievable, or because other board members might back off. This is more gradual and a solid step forward.
In parallel to any larger effort to put a comprehensive program in place, there are smaller actions and communications that can help to build and ensure that connection and mutual language and understanding is being developed and strengthened. Different elements of the risk formula—threat, consequence, and vulnerability—can be purposefully mixed into communications, both formally in the board meetings and informally outside of them.
Threat, a probable frequency or number of risk events in a year, can be represented by discussing other risk events in the headlines as they catch management and the board's attention, applicability or not to your organization, in a way that evidences how you utilize actionable threat information, ideally better than others. You can show that consequence, the probable losses from an event, is top of mind by updating the board on your disaster recovery, business continuity, and crisis management drills and exercises with examples that quantify the effects, say on one of your top revenue earning plants or operations. Third-party assessments, program or plan updates, and internal scorecards help to explain risk mitigation options and actions around important vulnerabilities at a material, board level without getting too in the weeds, say with patching program updates which is often difficult.
You don't have to wait to talk to the board about these items. Even if you're not at a point where you are rolling out a formal program or set quarterly report yet (which you should be trying to get to ASAP), the CISO, CEO, or others could easily mix these items into every single board meeting, which I think most boards would appreciate."
Mario Chiock, Chief of Staff, Integriti:
"The new rule requires disclosure within four days of a company identifying a 'material' cyber incident, and includes the possibility for a 30-day or longer delay if approved by the U.S. Attorney General.
The rule requires annual reports on corporate governance and risk management policies, but dropped the requirement to identify a member of the board with cyber expertise, a provision opposed by the National Association of Corporate Directors. In my opinion, the board should hire an experienced expert if none of them are qualified for cybersecurity (example, myself); it is always better if it is an independent advisor reporting to the board. I also believe that executives like the CFO and CRO need to be educated on cyber risk.
Most boards have an audit committee that focuses on compliance not security; there should be a Cybersecurity Committee that focuses on cyber risk."
Joshua Brown, VP and Global CISO, H&R Block:
"The pessimist in me defines 'compromise' as an outcome where nobody gets what they want. However, in moderating some of the proposed rule changes in response to feedback from companies, board members, and CISOs, I think the SEC did an admirable job of meeting the primary goal of the regulation: to increase transparency in meaningful ways without being overly proscriptive or pretending that every size and type of company should have the same processes and requirements.
Many were surprised that the rules are taking effect earlier than originally anticipated, but this is a good thing; reporting on incidents once materiality has been determined is both more practical and more effective (in terms of increasing transparency to shareholders) than rushing through discovery in order to meet an arbitrary timeline during the 'fog of war' that often accompanies the early phases of incident detection and triage. And since companies will each have unique approaches to risk management, tailored to their own particular needs and strengths, the focus on material impact enables companies to continue to adapt their programs as the threat landscape changes.
The area where I was disappointed—but not surprised—to see the SEC back off from the original proposal was dropping disclosure requirements for having cybersecurity experience at the board level. While this had the hallmark of being a paper control (a plethora of 'certification' programs has already sprung up), I don't think that having cyber-aware board members is at all a bad thing. The threat of cyber disruption is material and represents a risk to businesses. I would think that boards would want to have that experience, even though it is somewhat difficult to come by. Understanding the nature of the threat and how to appropriately mitigate that risk should be a shared responsibility, not solely the purview of the CISO or CSO.
Regardless, the final regulation is a solid step forward for meaningfully increasing transparency while allowing a great deal of flexibility in how companies approach cyber risk management."
