In December, the U.S. Securities and Exchange Commission (SEC) Rules for reporting cyber security incidents for public companies has gone into effect. Now that these rules have been in place for six months, what impact do they have on public companies and enterprise security leaders?
8-K revelations are happening.
SEC rules require public companies to disclose cybersecurity incidents within four days of determining that the incident is material. These disclosures must be made through an 8-K filing.
Many companies have filed 8-Ks, some even before the regulations officially took effect. “In the fall, there were some pretty notable violations at companies like MGM and Clorox, and it turns out he actually went through the 8-K process and disclosed them ahead of the regulations.” said CFO Karen Walker. sisdigCloud security company.
Are the SEC rules working as intended?
“Investors need to gain more insight into an organization's risk oversight practices and the role that the board and management play in implementing them,” said Nithya Das, chief legal and administrative officer. diligence“Diligent is an ESG, governance, risk and compliance SaaS company.
Some companies file 8-K disclosures under SEC rules, and apparel companies VF Corporation Insurance company united health group There are many disclosures Faced criticism It's light on details. Forbes noted that the quantitative impact of these events was not included in the filing.
Walker points out that it can take time for companies to reveal that level of detail about incidents. “It's better to go ahead and give an update than to try to speculate or leave out too much information and have to come back later and say, 'No, that wasn't right,'” she explains. .
Clorox was hit by a cyberattack in 2023, the impact of which was detailed in multiple 8-K reports. Latest 8-Kfiled on April 30, the company delved into its financial results for the third quarter of 2024, including details on how the cyberattack affected its results.
As time goes on, will companies release more information in updated 8-Ks? Will the SEC start requesting more information when scrutinizing compliance? Only time will tell.
Questions of Importance Linger
As companies familiarize themselves with this regulatory requirement, the definition of materiality remains one of the biggest questions. “When I talk to CISOs and other security leaders who have to deal with this, a lot of the thing they're still wondering about is materiality,” says Tim Chase, Global Field CISO. Lace knittinga cloud-native application protection platform, told InformationWeek:
This ambiguity on materiality could lead companies to err on the side of caution, believing that reporting is better than not reporting. “At this point, there is no clarity, but we see most companies leaning toward 8-K disclosures, which could eviscerate the purpose of the disclosure requirements.” Das says.
Tackling the thorny issue of materiality requires collaboration between security, privacy, and legal executives. “[Make] Make sure your CISO, CLO, and CPO are all on the same page,” Chase recommends. “These three people will decide whether something is important or not.”
Over time, public companies may gain a clearer understanding of how the SEC views materiality. “Once it's enforced and the cases come to light, it's likely to become a real-world guide to understand what people think about the ratings,” Walker said.
Cybersecurity is a board-level issue
Under these SEC rules, publicly traded companies are also required to include information about cybersecurity risk management and governance in their 10-K filings. The message is clear. Cybersecurity is a board-level issue. How is the board responding to the existing rules?
“What I'm hearing from peer groups, other board members, and some companies is that they think board renewals are…the most common change,” Walker said. I'll tell you.
Conducted by professional services firm PwC Analysis of the first round of 10-K filings We found that most of the companies that applied indicated that their CISO regularly updates their board of directors. However, boards do not seem to be engaging in cybersecurity learning themselves. According to the PwC report, only 8% of applicant companies shared that their board members are committed to upskilling.
While changes to boardroom composition may take time, companies are thinking about the important role cybersecurity has to play. The vast majority of respondents (80%) investigation Companies with a board of directors should include at least one person with cybersecurity expertise on their board, according to a study conducted by security automation company Swimlane.
CISOs think about personal risk
Personal risk is a topic of discussion and concern in the CISO community. In October 2023, SEC indicts SolarWinds and its CISO Fraud and internal control failures have been issues. “The SEC’s enforcement action against SolarWinds and its CISO has definitely sent quite a scare into the CISO world,” Walker says.
During this year's RSA conference in San Francisco, panel discussion It highlighted the increasing pressures CISOs face and the risks that come with the role.
This concern raises the question of what protections CISOs should have, said Scott Allgeier, executive director of the nonprofit. Information Technology Information Sharing and Analysis Center (IT-ISAC)has spoken with “…CISOs who are considering obtaining liability insurance for their role or adding it to their corporate policies.”
If CISOs are willing to accept the potential risk of personal liability from regulators, they may also need to evaluate their position within the company. “CISOs are often in positions of responsibility, but not necessarily authority,” he points out Algeier. This tension adds further to the discussion of the CISO-board relationship. How often should a CISO interact with the board? And should CISOs be involved in the discussion?
Understanding the regulatory environment is complex
Cybersecurity isn't likely to fall off the SEC's radar anytime soon, as it's a recurring theme in its investigations. 2024 Exam Priorities report. For example, the SEC has said it will focus on cybersecurity issues related to third-party vendors.
And the SEC isn't the only regulator focused on cybersecurity. of Cyber Incident Reporting under the Critical Infrastructure Act (CIRCIA)Requiring covered organizations to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) will soon go into effect. Regulations from other countries and industry-specific regulations also pose challenges for many CISOs.
“Some of the regulations are complementary. Some overlap. Some of them compete with each other,” he said. Algair.
There are also calls for regulatory harmonization. For example, the Biden-Harris administration National Cybersecurity Strategy The policy, announced last year, calls for the harmonization and rationalization of new and existing regulations to reduce the compliance burden.
But in the meantime, corporate leadership teams must operate within this complex regulatory environment, which is further complicated by budgetary issues.
“Security budgets have barely increased. So there's a tension between directing resources to security or directing resources to compliance, in addition to everything else CISOs are doing,” Allgeier says.
So what should CISOs and company leadership teams do to ensure they continue to operate in compliance with SEC rules and other regulatory obligations?
“CISOs must keep in mind their ability to quickly, easily, and efficiently meet the requirements set forth by the SEC, especially if they are the victim of an attack,” says Das. “This means not only putting the right processes in place, but also investing in tools that ensure reporting is done on newly condensed timelines.”
Tools that drive automation could be one answer. “I think this is one of the areas where GenAI could be useful in the next two to three years,” Chase says. “If we can detect events faster, it helps us meet our reporting requirements.”
But AI is a double-edged sword. As new and useful tools proliferate, so do risks. “I think we're going to see sensitive data leaked as a result of AI, and if it's important, it could certainly be reported,” Walker points out.
Six months is a relatively short period of time in the regulatory world. Over time, more filings and potential enforcement actions will reveal how the SEC's rules shape public companies' approaches to cybersecurity.
