December 7, 2022
It's almost a day-to-day routine for us in this area to tell you how worrying the growing cybersecurity threats and risks are because of the dire impacts they can have on individuals and organizations worldwide. Factors such as the ongoing digital transformation, the growth of remote work and digital transfers of money, the ability of threat actors to enhance and execute cyberattacks, and the increasing reliance on third parties for information technology services have contributed to the rise in cybersecurity risks. Cyberattacks or cybersecurity incidents can mean high costs for companies and their investors, such as operational disruptions, extortion payments, remediation actions, reputational impacts, legal fines and bankruptcy. The reduction of cybersecurity risks and potential costs for companies and their investors depends on the strategies implemented by the management and boards of directors of these companies. New regulations like the ones discussed in this post will surely lead many organizations to reinforce their cybersecurity plans and practices.
The "proposed rule" by the SEC
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) issued a press release proposing "amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies." The period to receive public comments and feedback in order to make adjustments to the proposals was initially 60 days. However, in October of the same year, the SEC reopened this comment period due to an apparent technical error that affected obtaining messages from interested parties. As we see on the SEC website in the comment section for this proposal, the messages received range from April 22 to November 12. It's expected that by 2023 these proposed rule modifications by the SEC will become effective.
Before describing these regulatory proposals and their potential benefits and costs, let's clarify a couple of things. The SEC is an independent agency of the U.S. federal government that seeks to enforce the law in order to maintain an orderly, efficient and fair market, protect investors and promote capital formation. In furtherance of these purposes, the SEC requires public companies and other companies regulated by the Securities Exchange Act of 1934 to file periodic reports, not only financial but also reports on their operational performance and future goals. By the way, when we talk about a public company, we mean one "whose ownership is organized via shares of stock which are intended to be freely traded on a stock exchange or in over-the-counter markets." The new SEC regulations are and will be highly relevant to the boards of directors (aka "boards") of these companies, i.e., the executive committees that oversee the activities of such organizations. It seems that many boards of public companies are already doing so, but with proposals such as the one referenced here, many others will be forced to pay more attention or care more about cybersecurity oversight as a top priority or necessity in their organizations.
The official document delivered by the SEC is called "Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure." With 129 pages, this document presents some background information, the proposed amendments in detail and an economic analysis, among other things. In general, what the SEC aims to establish as requirements for companies (aka "registrants") are the timely delivery of reports on material cybersecurity incidents and periodic disclosures on their policies and strategies used for the detection and management of cybersecurity risks, their governance in these matters and the cybersecurity expertise and oversight role of their board. The following is a brief description of these regulations and their benefits and costs (we don't go into details like the names of the amended rules or added items; we recommend that you read the full document):
Disclosure of material cybersecurity incidents
Although it may sound a bit ambiguous, according to Vinson & Elkins, "Incidents may be material if they have significant [impacts] on the company's financial position, operation, or relationship with its customers." Currently, due to issues such as potential loss of reputation, many companies do not report or at least not timely, wholly and consistently these types of incidents they experience. Sometimes, as the SEC says, referencing an investigation, even "the industries experiencing the most high profile cybersecurity incidents provided disclosure with the 'least amount of information.'" Therefore, this U.S. commission proposes requiring registrants to report each material cybersecurity incident within four business days after they determine they have experienced it. The SEC would expect companies to disclose for each incident information such as the following: the date of discovery, current status, description of its nature and scope, effect or impact on the company's data or operations, and remediation actions.
Updates to previously (un)disclosed incidents
A new regulatory item would require registrants to disclose modifications, additions or updates to previously revealed material cybersecurity incidents. On the other hand, the SEC would require companies to divulge corresponding information when a series of previously undisclosed individual "immaterial incidents" (say, those that didn't have "significant" impacts) become material incidents when aggregated.
Disclosure of risk management, strategy and governance
As the SEC states, "Staff in the Division of Corporation Finance has observed that most of the registrants that disclosed a cybersecurity incident in 2021 did not describe their cybersecurity risk oversight and related policies and procedures." Companies then would be required to consistently describe in detail their policies and procedures for the prevention, detection, assessment, monitoring and management of cybersecurity risks and threats. Linked to this, on another point, the SEC would require each company to disclose its governance capabilities, including information on oversight by its board and its management's involvement and expertise in implementing the policies and strategies outlined. This would include, for example, reporting on the presence of a chief information security officer, their expertise, and their processes of incident monitoring and reporting to the board of directors.
Disclosure of the board's cybersecurity expertise
For investors knowledgeable about cybersecurity issues, being aware of whether there is at least someone with cybersecurity expertise on the board of a registrant in which they may be interested is certainly valuable. With the amendment of a regulatory item, the SEC would precisely require companies to disclose, if any, the cybersecurity expertise of their board members. They would be asked to add details describing the nature of the expertise of whoever possesses it. Among the criteria to be considered in determining whether directors have cybersecurity expertise would be, for instance, their prior experience (e.g., as information security officers, security engineers, security auditors, security policy analysts), certificates or degrees obtained, and knowledge and skills (e.g., in security architecture, security assessment, risk management, incident handling).
Potential benefits and costs
On the side of investors and other market participants who interact with investors, the SEC believes that they would benefit from the proposed amendments in several respects. Enhanced disclosure (compared to the current disclosure framework), i.e., a more timely, clear and consistent revelation of cybersecurity incidents, would keep investors alert and adequately informed, as such incidents can affect the performance, reputation and valuation of registrants to varying degrees. In addition, investors would be able to broadly recognize how these companies respond to incidents and what their governance strategies and practices are in the face of cybersecurity risks. This would facilitate their investment decision-making process. Such decisions would also benefit from greater uniformity in disclosures, which would make it less costly for investors to compare companies.
On the side of registrants, those that were not applying these disclosure proposals but in the future will show robust risk management measures and strategies could be better valued by investors. Those companies that were already applying these proposals could also re-evaluate and improve their cybersecurity risk management, strategy and governance and consequently reduce their capital costs. In addition, the disclosure requirement could mean that companies would no longer take advantage of incentives (e.g., reputational) not to report, and there would be a fairer and more transparent comparison between registrants.
Regarding the potential costs of these proposals, the SEC warns that companies could have increased vulnerability. The concern is that cybercriminals could have these reports of cybersecurity incidents and risk management policies and practices at hand to serve as guides for future cyberattacks. Based on these reports, they could define certain companies as targets and take advantage of those with weak risk management strategies or that don't even have boards with members with cybersecurity expertise. Although the SEC has said that (while more details would be required than is currently the case) they would not expect companies to publicly disclose specific technical information about their systems, vulnerabilities and responses to incidents, the aforementioned concern seems to remain. However, the SEC states that "academic research so far has not provided evidence that more detailed cybersecurity risk disclosures would necessarily lead to more attacks."
Moreover, it would be perilous to report in a timely manner when the security issue has not been resolved, as it could aggravate the ongoing attack. Another potential cost would be that "the proposed rules do not require registrants to quantify the impact of the incident." Incident impact reports would be qualitative and inaccurate, leading to uncertainty and inadequate valuations of companies by investors or other market participants. Finally, the SEC speaks of compliance costs, i.e., those that would exist in gathering information and preparing the requested disclosures.
How to be ready for what is coming?
The answer to this question is: improving your cybersecurity posture, both in terms of prevention, management and resilience. Period. While these new regulations lead to nothing more than disclosure of what has happened within your company and what you're doing with your managers and boards of directors regarding cybersecurity, they implicitly call for strength and maturity. To keep your (public or private) company afloat and competitive in its market, our recommendation is that you formulate, improve or redesign your cybersecurity plans, strategies and practices asap. We invite you to reflect with your teams on the following questions.
Do you recognize that your organization is at risk of receiving and being affected by cyberattacks? Do you already have cybersecurity investment as one of your priorities? Is your company prepared to prevent, detect, respond to and recover from cybersecurity incidents? What about the presentation and discussion of risk management among your operational leaders and boards and the frequency of these events? How experienced are your executives, managers and board of directors in cybersecurity? What is the cybersecurity oversight that your board is undertaking? Are directors fully understanding security risks in financial terms beyond the technical jargon? Is your company employing the best security testing methodologies to detect vulnerabilities in your systems? Are you prioritizing and remediating such security issues promptly to prevent suffering from cyberattacks?
Do you want to improve your organization's posture and maturity in terms of cybersecurity? At Fluid Attacks, we help your company to be prepared not only for these new regulations but also to face the growing cybersecurity risks and threats that are creating so much havoc in the world. Just contact us! (If you want, start by trying our 21-day free trial of security testing with our automated tools.)
Caution: Many details of the proposed amendments are missing in this blog post. Having read this post in no way replaces a careful reading of the "Proposed rule." For a thorough understanding, we recommend you read that document fully.
Recommended blog posts
You might be interested in the following related posts.
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?
Pentesting is a system-agnostic approach to security
Differences between these security testing approaches
Our CLI is an approved AST tool to secure cloud apps
How BAS solutions work, their importance and benefits
A simple approach to try out in cybersecurity training