6 months of SEC cybersecurity disclosure rules: An updated view
As we reach the six-month mark of the SEC’s new cybersecurity disclosure regulations going into effect, it seems a good time to reflect on the requirements.
With the average cost of a security breach nearing $4.5 million and the increased frequency and sophistication of attacks showing no signs of letting up, it seems these requirements are necessary; self-regulation proved insufficient, and the stakes are higher than many people in leadership positions recognize. It’s not just a matter of cost (although the cost is exorbitant and growing) — breaches erode customer trust, disrupt operations and impact company value. Not to mention the growing risk of coordinated attacks that impact critical infrastructure and even national security.
I believe we can expect additional regulations and revisions to emerge in the coming years from regulatory bodies, including the SEC. The last six months reflect an ongoing trend as regulators, companies and the public assess and accept the true scope of the issue. These requirements have had a positive impact on cybersecurity preparedness and awareness, but there’s more work to do.
Regulation serves as a measurement tool – if requirements are consistent
My conversations with peers and CISOs across industries have highlighted how these new regulations will help us understand the scope of the issue. We knew the sheer number of breaches — and level of detriment to organizations — had steadily increased over the years, but we lacked uniform, accurate and real-time availability of detailed information.
The disclosure requirements from the SEC have helped — but only to an extent thus far. The multiple, disparate regulatory requirements around cybersecurity can overwhelm professionals and make full and consistent adherence an enormous challenge. A Department of Homeland Security report from last September detailed 45 different federal cyber incident reporting requirements administered by 22 separate federal agencies — and that doesn’t even account for state, local and foreign requirements. As outlined in that report, the Cyber Incident Reporting Council (CIRC) will coordinate a federal effort to harmonize these multiple requirements, which hopefully will go a long way to alleviating the burden.
That said, regarding the SEC disclosure rules specifically, we must remember that the constituency of the SEC and these regulations is the investing public, which differs from the intended beneficiaries of most of the other requirements and will lead to some inevitable differences in approach and requirements.
Cybersecurity awareness belongs in the boardroom
Cybersecurity should be a top priority for all types of organizations — and awareness of the changing threat landscape, new types of attacks to prepare for and what cyber resilience actually looks like is still lacking in too many places.
I recently discussed the SEC regulations with an S&P 100 CISO, who is also generally a fan of them. He feels the requirements are driving greater board awareness and engagement on cybersecurity and adding discipline around understanding and documenting the processes in place to mitigate cybersecurity risk. But he expressed disappointment in a revision between the proposed and final regulations not to require cybersecurity expertise at the board level. While the disclosure requirements do include board oversight (thus increasing awareness), he is among the cybersecurity experts who are concerned about a lack of specific expertise.
Only 3% of directors at S&P 500 companies rate their board’s ability to oversee a cyber crisis as “expert,” and less than half of respondents said their board had participated in a tabletop exercise involving cyber scenarios in the last year, according to one report.
There is ample opportunity for board members to influence firms’ cyber resilience for the better by embedding consideration of security postures into strategic decisions and improving oversight of preparedness for this new era of threats — but it must begin with more education on the topic.
Organizations need clear guardrails and strong cyber tech stacks to comply
While the SEC disclosure requirement applies only to material incidents, the difficulty of determining materiality is an issue. It has led to concerns of both over- and under-reporting, even if unintentionally. In the case of underreporting, the goals of more transparent cyber event reporting aren’t being met. And in the case of overreporting, there is concern that the forest will be lost for the trees and an inundation of data will challenge the ability to draw meaningful insight and conclusions from the disclosures. And some speculate that companies already aren’t complying with the rules and failing to qualitatively disclose what material impacts look like altogether. It is fair to assume that further guidance will be forthcoming from the SEC as it analyses the disclosures being made and that the regulations will evolve over time as things continue to develop. The SEC may also impose fines for non-compliance to encourage the desired behaviors.
To be able to accurately disclose incidents, companies must be able to detect, correlate and assess unauthorized occurrences and have sufficient insight into their scope and reach to understand their potential impact. And when it comes to companies’ 10-Ks, they are effectively required to describe their ability to access, assess and react to timely, accurate data about the state of their IT systems. To achieve these goals, companies need full and detailed visibility into the entire estate including across assets, applications, files and processes — and many companies still lack the tools to get that information in an accurate and timely manner.
These conversations will continue to evolve at the federal level and beyond; even becoming more frequent — for and against additional regulation from more governing bodies. In fact, we just saw a resolution to unwind the SEC regulations on a party-line vote by the House Financial Service Committee. It all goes to show how critical these efforts are and how much corporate cyber risk impacts the public en masse. For now, the enduring companies will be the ones that are prepared for an inevitable ransomware attack or data breach — through a strong security posture, cyber expertise at the top of their organization and a keen eye toward the evolving threat landscape.