The SEC wants to know about your cybersecurity incidents and management

In the spring of 2022 the Securities and Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by registrants. As always with such proposals, the SEC solicited public commentary and even extended the comment period at the request of multiple industry and government groups.

The core of the rule changes (details can be found at the SEC links provided below) are:

• Require disclosure of information about any material cybersecurity incident within four business days of the registrant determining that a material cybersecurity incident has occurred;
• Require updated disclosures concerning management of previously disclosed cybersecurity incidents;
• Require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate (to the extent known to management);

But wait, there’s more! The SEC would also like to know more about how registrants manage cybersecurity risks, including information about cybersecurity strategy and governance. This reporting would include disclosures describing:

• Policies and procedures for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; 
• Board oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
• Board member cybersecurity expertise and whether any member of the registrant’s board of directors has expertise in cybersecurity, including the name of any such director and any detail necessary to fully describe the nature of their expertise.

On the face of it, these proposed disclosures would provide security information that would enable financial  markets (i.e.- people who buy and sell shares, bonds, etc.) to incorporate the apparent security competence and related investment priorities of traded companies in their evaluation, recommendation and buy/sell activities. Of course, gathering this information and reporting on it with the regularity prescribed is a cost to registrants and, as was pointed out by multiple commenters on the SEC site, could reveal the inner workings of the security infrastructure and program at reporting firms. Let’s take a moment to think about these two comments or objections:

• Reporting Costs – Although there is some additional cost involved in structuring information into the correct reporting format and submitting it to the SEC, I worry that objections concerning the cost of reporting are actually based on the cost of collecting this information in the first place. This would imply that a registrant is not collecting – as part of normal incident response activities – information describing the apparent attack vector, material impact, recommended remediation, etc. All of this information is a standard output of effective incident management. If you are a registrant and you are NOT gathering this sort of incident data, you need to revisit your cybersecurity investment strategy and build a more effective incident response capability!
• Revealing secrets- A fair number of comments sent to the SEC focused on the danger that public reporting of security incidents would attract more attackers attempting to leverage the successful attack vector. Other comments worried that disclosure of information about incidents would make transparent flaws or lacunae in the security fabric of an enterprise, providing a roadmap for attackers. These concerns are legitimate if we assume that the firm suffering the incident has not responded quickly to close the vulnerability leveraged by the attack. Also, this concern assumes that only the defense of the reporting enterprise is important. Sharing attack data with a public audience might better inform an attacker’s tactics, but it definitely aids enterprises in improving their own attack surface management. Given that the SEC is interested in improving the stability and competitiveness of US corporations as a cohort, it seems to us that public disclosure of attack data would be of great benefit, far outweighing the slender threat that an attacker would use that data.

These are not the only substantive critiques of the proposed rule changes. Another concern is that there are multiple pieces of legislation and executive orders in the offing which target similar reporting requirements and that a multiplicity of overlapping reporting requirements would, in aggregate, create an undue strain on corporations. This is a legitimate concern and harmonization or centralization of the various cybersecurity reporting and disclosure rules which impinge on corporations would be a good thing. What is more difficult to argue is that the SEC should wait until the various political processes are successful at putting useful disclosure rules into effect, a process which could take many years.

My colleagues Lisa Neubauer and Will Candrick discussed with me the potential impact of the SEC rules proposal and we settled on a few recommendations for actions companies can take immediately to prepare for this and similar regulations requiring disclosure of security incidents, policies and procedures:

• Do you have the data? Immediately review your documented and actual security incident response process to discover whether your current documentation of incidents and incident management is at a level which meets the proposed SEC rules. If your incident response process does not currently comply with the anticipated rules, take steps now to improve your CERT/CSIRT operations to support this trend for greater and more timely incident reporting. This sort of documentation and continuing management of open incidents should be standard operating procedure for all enterprises!
• Got governance? Take a fresh look at your suite of strategy, policies and procedures governing cybersecurity. Are these documents comprehensive and readily available? Are they regularly audited, reviewed and updated to keep pace with the expanding threat landscape? Keeping governance documentation current and useful is hard work and should be a priority for the cybersecurity team. Allocate people to this task and set clear milestones and goals for creating and updating all relevant documentation.
• Are you taking a risk-based approach to cybersecurity? Make sure you have a robust cybersecurity risk management program that includes policies and procedures to identify and manage cybersecurity risks which drives your organization in its decision making process.
• Are you fast enough? Is your technology organization able to rapidly (in hours, not days) remove or mitigate known vulnerabilities? Assume that you will have a vulnerability exploited by an attacker and will then need to share that vulnerability information with the SEC. Also, make sure your threat intelligence apparatus is monitoring information provided by the SEC (and any other organization requiring incident reports) to identify vulnerabilities within your infrastructure which have been leveraged to attack other organizations. Take steps now to streamline the process to mitigate vulnerabilities targeted by attacks.

No one wants the burden of more reporting to external regulators, nor the repercussions of not reporting, but the information sought by the SEC is information that every cybersecurity program should be generating and maintaining as a normal part of operations. Make sure your team is already producing everything the SEC wants to see and are providing it to your boards so they can conduct the proper oversight in fulfilling their fiduciary duties. It will help the security industry and will keep your own cybersecurity operations sharp and able to respond effectively to rapidly evolving risks.

Links:

https://www.sec.gov/rules/proposed/2022/33-11038.pdf

https://www.sec.gov/files/33-11038-fact-sheet.pdf

https://www.federalregister.gov/documents/2022/03/23/2022-05480/cybersecurity-risk-management-strategy-governance-and-incident-disclosure