In a recent development, CISO Steve Cobb has pointed out some significant changes in the contract language proposed by public companies approximately six months ago. At that time, there was a noticeable shift where publicly traded companies began demanding more control over how their third-party providers responded to a breach. Some companies even suggested taking over the incident-response process or required the third-party provider to determine within a few hours whether a breach could be considered material. This information was shared by Cobb, who oversees cybersecurity at risk intelligence firm SecurityScorecard. He also mentioned that similar contract language has been proposed by the company’s own customers.
The driving force behind these changes can be attributed to the Securities and Exchange Commission’s ruling on cybersecurity risk management and incident disclosure, which became effective in December of last year. This ruling has essentially altered how companies approach incident response alongside their third-party suppliers. According to Cobb, public companies are now incorporating clauses within their contractual agreements that allow them to assume control of the incident response process in the event of a breach by one of their suppliers. This shift is concerning for for-profit organizations and could potentially lead down a perilous path.
The repercussions of these changes are not limited to private third-party providers, as enterprises are making efforts to align their operations with the SEC’s mandate. Chief Information Security Officers (CISOs) are particularly worried about being held accountable for any errors in determining breach materiality, especially in light of the recent prosecution of SolarWinds’ CISO. Companies face the risk of facing hefty fines if they fail to notify the SEC of a material breach.
A survey conducted by cloud-security firm VikingCloud revealed that 68% of cybersecurity teams do not believe their company could meet the four-day disclosure rule mandated by the SEC. This underscores the challenges and complexities that organizations are currently facing in the realm of incident response and cybersecurity compliance.
Large public firms, on the other hand, have mechanisms in place to address these challenges. They already have disclosure committees that assess various events for potential material impact, including cybersecurity incidents. Naj Adib, a principal at consultancy Deloitte, emphasized the need for organizations to coordinate between different departments – IT, cybersecurity, legal, and business – to determine the significance of cybersecurity events. CISOs can leverage tabletop exercises to streamline the process of assessing materiality and gathering evidence for timely disclosure.
However, the response to the SEC’s mandate varies across different companies. While larger companies have been proactive in addressing these requirements, smaller companies face more hurdles in establishing a documented process for incident response. Matt Gorham, from PricewaterhouseCoopers, highlighted the importance of documenting the incident response process and continuously reassessing the impact of breaches to ensure compliance.
Concerns arise regarding the preparedness of smaller companies and third-party providers, especially when it comes to regulatory compliance. In cases where the cybersecurity team is small and handles both incident triage and security control configuration, there is a risk of regulatory non-compliance due to human errors. Cultural changes are needed to ensure that individuals are not penalized for reporting incidents, as highlighted by Jon Marler from VikingCloud.
The role of CISOs in this evolving landscape is crucial, as they are at the forefront of breach response and regulatory compliance. While some CISOs feel adequately supported to navigate these challenges, many are being tasked with making critical determinations without the requisite authority or resources. The pressure on CISOs to bear the legal consequences of breach response is significant, as they are increasingly viewed as expendable entities in the cybersecurity realm.
In conclusion, the shifting dynamics in incident response and cybersecurity compliance underscore the need for organizations to adapt quickly to meet regulatory mandates and safeguard against potential breaches. Collaboration between different departments, streamlined processes, and a culture of transparency and accountability are essential to navigate the evolving cybersecurity landscape effectively.