The U.S. Securities and Exchange Commission (SEC) has implemented regulations that mandate registrants to disclose any significant cybersecurity incidents they encounter. Additionally, organizations are now obligated to annually disclose essential details about their cybersecurity risk management, strategy, and governance.
The ruling alters the playing field for business transactions and requires companies to focus their disclosures on how the board oversees cybersecurity threat risks, identifying the committee responsible for such oversight, and explaining how the board or committee stays informed about these risks.
Looking into the circumstances and considering the implications for industry is Mike Britton, CISO, Abnormal Security.
Britton sees a positive in terms of the recent news, noting how this can be a springboard towards enhanced understanding: “Increased disclosures and greater transparency is a good thing for everyone concerned with cybersecurity. But there are some uncertainties around how far these SEC cyber rules will go toward actually solving or exposing security incidents.”
Citing an example of the pertinent lessons to be learned, Britton states: “For one, the rule assumes that breached organizations are aware of a material compromise, and that reporting it within the stipulated four days from discovery is timely enough. But so often, organizations experience breaches where an attacker was already inside their corporate network—sometimes for weeks or months—before they identified the attack.”
Continuing with the example, Britton puts forward: “The SolarWinds attack is a prime example of this, but we also just saw this happen with the hack on U.S. government email accounts through a Microsoft vulnerability, where the attackers were lurking within those accounts for as long as a month before customers noticed anomalous mail activity.”
With the next advantage, Britton says: “Secondly, the mandated disclosures are required only if the breach has a “material” impact on operations, revenues, or stock price. But without a concrete definition around what is considered “material,” this can feel somewhat arbitrary, and may lead to some material breaches going unreported. Plus, in many cases, an organization won’t know the extent of their material damages until much later.”
In terms of learning from such issues, Britton indicates: “There is a question around whether the bar should be lowered. For example, there is a case to be made for disclosing any type of breach—even if it’s a BEC attack that results in relatively lower financial loss, like in the thousands of dollars, or if there are repeated incidents.”
This leads to his final point: “Is a single material breach any worse than attacks that are less costly, but more frequent? Organizations have a duty to be transparent with their customers and investors, so at what point do we draw the line?”
