New SEC Rules Mandate Cybersecurity Transparency and Oversight
The new SEC Rules establish
a framework that requires rapid disclosure of material cybersecurity incidents
(4 days), companies will need to be able to explain their cybersecurity posture
to manage risks, and for boards to describe their oversight and expertise for
cybersecurity.
This is a major leap
forward for securing US public companies!
The new regulation drives transparency of incidents, risk management
processes, and board accountability. It
may be the most impactful cybersecurity event this year that shifts the trajectory
of how cyber risks are managed!
The new SEC Rules establish
a framework that requires:
1. Rapid disclosure of
material cybersecurity incidents (4 days)
2. Companies will need to be able to explain their cybersecurity posture to
manage risks
3. Boards of Directors must describe their oversight and expertise in
cybersecurity
These three simple rules
will shake the current inconsistent foundations across every sector, which are often
flimsy, and force companies to build strong programs, integrated with board support,
to protect customers’ and shareholders’ interests!
Overall, I very much like
this requirement! Historically I have despised
tech regulations, except when financial incentives fail to drive the industry
to serve the best interests of the public, shareholders, or customers. It was true for Sarbanes Oxley, privacy, and
now cybersecurity.
There will be concerns about
the definition of ‘materiality’ and the 4-day reporting requirement.
So first, as a former
Incident Commander for a F100 tech firm, yes businesses can report material
breaches within 4 days. Typically, you understand how hot the fire may get in
the first few hours. If you know the CEO will need to be briefed, it may be
‘material’, so the regulatory reporting team can get ready. This is doable.
Will a clear picture be determined
of the root cause, scope of impacts, final damage tally, and every entity
identified?
No. Not in 4 days. Incident response teams will not have all the
final details or scope when they make the initial report. Those details will
eventually come. The first thing is to notify shareholders. Keep in mind, if it
is ‘material’ and you don’t make it public, how many insiders are going to SELL
their stock/options because they know something that the public does not! Yeah,
insider trading is bad.
Will companies ignore the
requirements or try to game the system by fudging the data when they realized it
was ‘material’?
Overall, public companies
go to tremendous lengths to not violate SEC rules. Additionally, they really don’t like strong
shareholder lawsuits that specify failures in the Board of Directors’ due care
and diligence. If companies choose not
to comply, then shareholders will have a very durable suit when they sue for
damages.
The SEC can fine the
company and sanction board members. And public sentiment may shift even more
negatively, as news outlets will clearly cover such aspects in their reporting
of incidents.
It would not surprise me
if companies may try to small liberties in the interpretation of when they
realized an incident was ‘material’. Taking
an extra day might go under the radar, but that is still a tremendous gain for
investors who are often shut out from such events for long periods of
time. In fact, many data breaches and cyber-attacks
are revealed by security researchers or customers first. Only then do companies feel compelled to make
a public announcement.
Anything more than a day
will probably be scrutinized. It would
be hard for a company to claim that they didn’t believe it was material at a
point when everyone is on red alert, they called in major forensic and incident
vendors, production is stopped, millions of sensitive customer records are on
the darknet, or their customer support boards are lit up like a Christmas tree
on fire. Those will be the details that are brought up in the lawsuits and SEC
investigation.
So overall, the 4-day
notification rule is reasonable.
I believe all these
requirements will force transparency for incidents, commitment to cybersecurity
risk management, and board responsibility/expertise!
Ironically, many of the
companies who will voice opposition will likely also take advantage of such
public data to understand the security posture and board expertise when they
evaluate business partnerships, M&A deals, define supplier requirements, and
make vendor selections. Customers, investors,
insurance providers, and potential business partners will want to know if a
company they are financially tied to, has a mature cybersecurity program that
is overseen by savvy board members.
The ripples of this SEC
requirement will drive significant and fundament improvements to cybersecurity,
that help everyone!
SEC Press Release: https://www.sec.gov/news/press-release/2023-139
