The SEC announced its long-awaited cyber rules on July 26, sending industry pundits to their keyboards and cyber leaders scrambling to understand how they may impact their organizations.
While it will take months if not longer for the dust to fully settle, and for public companies to fully understand the impact, I thought I would offer some early interpretation of how they may impact security teams and the executives who lead them.
Two aspects of the new rules in particular have generated the bulk of the feedback I’ve seen so far. The first is the requirement that cyber incidents be reported within four days of being deemed “material” – importantly, except where such disclosures could affect national security or public safety.
Given the reaction this rule received during the proposal phase, I was not surprised to see it draw the bulk of the criticism. In fact, blasting the four-day timeline is easy enough that I will start with some positives.
I do think it’s fair that the SEC has established a timeline for reporting cyber incidents. This holds an organization and its security leadership culpable for their response. From the SEC’s perspective, this will ensure shareholders in public companies quickly receive information that could threaten the value of their investments.
The rule will also supersede state-level incident reporting mandates for public companies, clearing up the confusion arising from having to navigate a patchwork of laws sprawled across a company’s operating territory.
Ultimately, though, like many, I believe the four-day reporting period is too brief for organizations to investigate an incident, evaluate its "materiality," and initiate a response that is both useful and insightful. Any statement regarding an incident response in process is unlikely to be more substantive than, "We are aware of an incident and are currently responding," although maybe that's what the SEC has in mind.
During the comment period, several financial services advocacy groups asked the SEC to undertake more "thoughtful consideration of the burdens, impacts, and justifications for certain of the proposed requirements in the Proposal.”
I fear the commission did not address many of the valid concerns this and other groups raised. Only four days after discovering a breach, security teams may still be unable to confirm an attacker has been fully expelled from an organization’s systems, leaving the door open for possible escalation. The effort required to release a statement may also interfere with incident response activities. Finally, CISA must ensure that any direction it releases on incident reporting does not contradict the SEC’s.
Those opposed to the new rules may see some wiggle room in the word “material,” and there does seem to be some early confusion about just how much latitude it provides. But, since the SEC has stated that these criteria must be ruled on "without unreasonable delay following discovery," I wouldn’t count on it being a persuasive argument for delaying the disclosure of any significant breach for too long.
The second significant change is that publicly-traded companies must now annually report on processes for “assessing, identifying, and managing material risks from cybersecurity threats.”
I believe this will significantly impact how security executives measure and convey cyber risk acceptance and mitigation strategies to boards. As many expected, the value of the expertise provided by career security professions will skyrocket as these rules come into effect. CISOs able to effectively relate their organizations’ exposure and corresponding controls, in financial terms wherever possible, will become the most sought-after.
Boards themselves will also be called upon to justify their own oversight of such risk. They will be de facto roped into building a better understanding of cybersecurity issues threatening the business and its shareholders. When the SEC rules formally come into effect, cybersecurity will patently make up part of their fiduciary responsibility to stakeholders.
On first reading, it may seem striking that the rules dropped the cyber expertise requirements from its proposed rules, though I would argue that the rules simply weren’t as explicit as some had hoped (or feared). While there’s more of a gray area than some would like, I predict these new SEC rules as released will force boards to elevate their cyber expertise as a result of the increased premium on the reporting of cyber incidents and mitigation strategies.
Fundamentally, these rules confirm the importance of enterprise-level cybersecurity to global business and those who invest in it. By passing such regulations, the SEC is affirming the need for serious funding and leadership oversight of cyber risk. It should be commended for essentially freeing up a chair in the boardroom for CISOs and other top cyber positions at the country’s most consequential companies.
What to read next
The SEC and boards’ search for cybersecurity expertise
Challenge everything, trust nothing: What boards should know about zero trust