The Securities and Exchange Commission has officially reached the implementation dates for its historic cyber incident reporting requirements.
The rules, which require companies to report material cyber incidents within four business days of determination, are leading to significant changes in how companies prepare for and implement cyber risk strategies at the highest levels of publicly traded companies that operate in the U.S.
Firms have been actively reviewing their incident response programs to determine whether they are getting the right information to make an informed decision on materiality, said Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC. “So they’re looking at that definition of materiality, which is reasonably vague by the SEC, and they’re saying, how do we apply that to our organization?"
One of the key goals of the SEC is to make sure companies are better prepared to mitigate material breaches, ransomware or nation-state espionage attacks.
Despite a number of regulatory enhancements at the federal and state levels after attacks against SolarWinds and Colonial Pipeline, the U.S. has experienced a resurgence in ransomware and other malicious activity, fueled in part by nation-state activity linked to Russia, China and more recently Iran.
“The continued geopolitical tension around the world provides a perfect storm for bad actors and nation state attacks and the government is using all its regulatory policy might to enforce cyber compliance,” said Lisa Donnan, a partner at Option3, a private equity fund that specializes in cybersecurity.
Investigations related to some of the nation’s biggest attacks and breaches in recent years show a pattern where corporate executives were unaware or missed glaring security risks that could have prevented some of these attacks from taking place.
Morgan Stanley was ordered to pay $35 million to settle SEC allegations it failed to protect the personally identifiable information of 15 million people.
The Department of Transportation found that Colonial Pipeline committed multiple control room violations after an investigation linked to the 2021 ransomware attack, and recommended up to $1 million in civil penalties.
In other investigations, top executives deliberately misled investors about software vulnerabilities, mitigation strategies or other measures that could have been taken to prevent an attack.
In the SEC civil suit against SolarWinds and CISO Tim Brown, the agency alleges that internal presentations and emails were circulated during the two years between the IPO and the December 2020 Sunburst attack that discussed weaknesses in its Orion software platform and concerns about remote access security.
Meanwhile, the company was making public statements to investors touting the security of its platform and hid those internal discussions from the public.
How to respond
Companies are reassessing their existing incident response plans, including synchronizing those plans to work alongside the new disclosure requirements, according to Jerome Tomas, chair of Baker McKenzie's SEC and Financial Institution Enforcement Group.
That work includes conducting tabletop exercises with legal and information security teams, Tomas said.
“Public companies are very familiar with the factors that go into a materiality determination,” Tomas said. “That said, companies are sharpening their focus on determining how, for example, previous quantitative materiality metrics can be applied and used for cyber incidents.”
The information used to determine a material impact during a data security incident is often fluid at the beginning. These can range from a few different elements, including:
- The amount of impacted data
- The number of impacted customers
- Business disruption costs
- Ransom payments
- The type of PII at issue
As part of developing a more robust incident response plan, companies should develop a relationship with their local FBI office, according to Chris Stangl, a managing director at the cybersecurity and investigations practice at Berkeley Research Group and a former FBI agent.
“In times of crisis, it’s never a good idea for first contact to be made while in the deep throws of a response,” Stangl said via email.
The FBI can provide expert advice to companies after an incident and help determine at a fairly early stage whether an incident is substantial, he said.
The FBI earlier this month disclosed the process for a company to request a SEC reporting delay, which is usually based on national security grounds and must be run through the senior levels at the Department of Justice.
Mitigation strategies
A key focus of the new SEC rules is to require companies to disclose some of the key elements of their risk mitigation strategy.
The idea is to inform investors whether the company had a plan in place to reduce the overall risk of an attack and make sure the company had the ability to respond to a cyber breach or malicious intrusion.
Brian Walker, CEO and founder of the CAP Group, said one of the biggest concerns companies are grappling with is how to balance out the disclosures to satisfy the regulatory requirements, but not release so many details as to place the company at risk of government action or investor actions.
“I think they’re more concerned about how much detail is sufficient for the SEC and for shareholders to feel comfortable that things are under control,” Walker said. “But not so much detail that any incident in the future might make them go awry of what they said they were doing, and open the door for litigation, or fines from the SEC.”
Another key concern for the SEC was board oversight over cyber risk. For many years, companies have failed to maintain regular contact between the security operations teams and board of directors.
Capital One was forced to pay $80 million in penalties and enter a consent order with the Office of the Comptroller of the Currency after a 2019 breach led to 106 million customer accounts being compromised.
The Federal Reserve issued a cease and desist order with the bank and required the board of directors to submit a plan on how it would improve risk management and internal controls.
A study from BitSight and Google released last week shows that companies are still falling short in some of fundamental risk indicators.
Companies underperformed in six out of 16 minimum viable secure product controls, the report found. Among the worst-performing controls, companies were particularly weak in dependency patching, vulnerability prevention and time to fix vulnerabilities.
Despite the concerns about oversight, the SEC dialed back its original proposal to have companies disclose specific information about cyber expertise on the board.
There were concerns that requiring companies to recruit cybersecurity experts to their boards would potentially force them to divert resources that could be spent on other cybersecurity investments or other board priorities, according to Erik Gerding, the SEC's director of the Division of Corporate Finance.
“Instead, the final rule focuses on disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats,” Gerding said in comments released Thursday before the enforcement dates went into effect.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly has increasingly called out C-suite executives and corporate boards about their lack of ownership over managing cyber risk, warning that corporate leaders could no longer continue to pass off that responsibility to CISOs alone.
Public companies have taken steps to increase the amount of security expertise on their boards in recent months.
Earlier this month, Marriott Vacations Worldwide named Mary Galligan to join its board of directors effective Jan. 1. Galligan was managing director of Deloitte’s Cyber & Strategic Risk practice for more than a decade and also previously served as a special agent with the FBI.
Meanwhile Wex, a global commerce platform, earlier this month elected Aimee Caldwell, former EVP and CISO at UnitedHealth Group, to its board of directors.
