6 Months Under the SEC’s Cybersecurity Disclosure Rules
In December, the US Securities and Exchange Commission’s (SEC) rules for public company cybersecurity incident reporting went into effect. Now that these rules have been in place for six months, how do they impact public companies and enterprise security leaders?
8-K Disclosures Are Happening
Under the SEC rules, public companies must disclose cybersecurity incidents within four days of determining an incident to be material. These disclosures must be made via 8-K filings.
A number of companies have filed 8-Ks, some even in advance of the rules officially going into effect. “There were some pretty notable breaches at companies like MGM and Clorox in the fall, and you saw them actually go through the 8-K process and disclose those in advance of the rules,” says Karen Walker, CFO at Sysdig, a cloud security company.
Are the SEC rules living up to their intentions?
“Investors deserve more insight into an organization’s risk monitoring practices and the role that board and management play in those practices,” Nithya Das, chief legal and administrative officer at Diligent, tells InformationWeek via email. Diligent is an ESG and governance, risk, and compliance SaaS company.
Several companies have made 8-K disclosures under the SEC rules, apparel company VF Corp. and insurer UnitedHealth Group among them. Many disclosures have faced criticism for being light on the details. The quantitative impact of these incidents is missing from the filings, according to Forbes.
Walker points out that it can take time for companies to reveal that level of detail from an incident. “It’s better to go on and update rather than to try to speculate, or try to take too much information out and then later have to come back and say, ‘No, that wasn’t right,’” she explains.
Clorox was hit with a cyberattack in 2023, and the fallout was detailed in more than one 8-k filing. In its most recent 8-K, filed April 30, the company dug into its Q3 2024 results, including details on how that cyberattack impacted those results.
Will companies release more details in updated 8-Ks as time goes on? Will the SEC start to demand more details as it scrutinizes compliance? Time will tell.
Materiality Questions Linger
Defining materiality remains one of the biggest questions as companies get used to this regulatory requirement. “When I talk with CISOs, and I talk with other security leaders that have to deal with it, a lot of what they still have questions about is materiality,” Tim Chase, global field CISO at Lacework, cloud-native application protection platform, tells InformationWeek.
That ambiguity around materiality may be leading companies to err on the side of caution: better to report than not. “Right now, without clarity, we see that most companies lean towards making the 8-K disclosure, which could water down the purpose of the disclosure requirement,” says Das.
Tackling the thorny issue of materiality requires collaboration among executive leaders in security, privacy, and legal. “[Make] sure that the CISO and the CLO and the CPO are all on the same page,” Chase recommends. “Those three people are going to be the ones that are going to determine if something is material.”
As more time goes by, public companies may gain more clarity around how the SEC views materiality. “If there is enforcement and there are cases that come out, that could likely be a guide that people actually look to, to understand how they think about that assessment,” says Walker.
Cybersecurity Is a Board-Level Issue
Under these SEC rules, public companies are also required to include information on cybersecurity risk management and governance in 10-K filings. The message is clear: Cybersecurity is a board-level issue. How are boards responding to the rules thus far?
“What I’m hearing from peer groups, from other board members, and what I’m hearing from some of the firms is that I think updates to the board are … the most common change,” Walker shares.
Professional services company PwC conducted an analysis of the initial round of 10-K filings and found that most companies that filed noted that CISOs are periodically updating the board. But boards do not appear to be taking on cybersecurity learning themselves. The PwC report found that just 8% of filing companies shared that board members took on upskilling.
While changes to board composition may take time, enterprises are thinking about the critical role cybersecurity must play there. The majority of respondents (80%) to a survey conducted by security automation company Swimlane said that companies with a board of directors should have at least one person with cybersecurity expertise on the board.
CISOs Are Thinking About Personal Risk
Personal risk remains a topic of discussion and a concern in the CISO community. In October 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures. “The enforcement by the SEC with SolarWinds and their CISO definitely struck a lot of fear within the CISO world,” says Walker.
During the RSA Conference in San Francisco this year, a panel discussion focused on the increasing pressure CISOs face and the risks that come with that title.
This concern calls into question what kind of protection CISOs should have. Scott Algeier, executive director of the nonprofit Information Technology-Information Sharing and Analysis Center (IT-ISAC), has spoken “… with CISOs who have explored getting liability insurance for themselves in the role and/or getting added to corporate policies.”
If CISOs do accept the potential risk of being held personally responsible by regulators, they may also be evaluating their position within enterprises. “CISOs often are in the position where they have the responsibility, but they don’t always have authority,” Algeier points out. This tension is yet another factor that adds to the discussion of the relationship between CISOs and boards. How often should CISOs be interacting with boards, and should they have a seat at the table?
Navigating the Regulatory Landscape Is Complicated
Cybersecurity isn’t going to fall off of the SEC’s radar anytime soon. It is a recurring theme in its 2024 Examination Priorities report. For example, the SEC notes it will be focusing on cybersecurity issues related to third-party vendors.
And the SEC isn’t the only regulator focused on cybersecurity. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which will require covered entities to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), is on the horizon. Regulations from other countries and sector-specific regulations are also on many CISOs’ plates.
“Some of the regulations are complementary. Some of them are duplicative. Some of them are competitive with each other,” says Algeier.
There have been calls for regulatory harmonization. For example, the Biden-Harris Administration’s National Cybersecurity Strategy released last year calls for harmonization and streamlining of new and existing regulations to ease the burden of compliance.
But in the meantime, enterprise leadership teams must operate in this complicated regulatory landscape, made only more complicated by budgetary issues.
“Security budgets aren’t growing for the most part. So, there’s this tension between diverting resources to security versus diverting resources to compliance … on top of everything else that the CISOs have going on,” says Algeier.
So, what should CISOs and enterprise leadership teams be doing as they continue to work under these SEC rules and other regulatory obligations?
“CISOs should keep in mind the ability to quickly, easily, and efficiently fulfill the requirements laid out by the SEC, especially if they were to fall victim to an attack,” says Das. “This means having not only the right processes in place, but investments into tools that can ensure reporting occurs in the newly condensed timeline.”
Tools that drive automation could be part of the answer. “I do think that this is one area in the next couple of years that GenAI could end up helping us,” says Chase. “Being able to detect events faster will help you meet the reporting requirements.”
But AI is a double-edged sword. As new, helpful tools proliferate, so do risks. “I think there will be sensitive data that will get exposed as a result of AI, which obviously is something that could be reportable if it’s material,” Walker points out.
Six months is a relatively short period in the regulatory landscape. As time goes on, more filings and potential enforcement action will reveal how the SEC’s rules are shaping public companies’ approach to cybersecurity.