The new cybersecurity disclosure rules approved by the Securities Exchange Commission (SEC) aim to provide investors with better information about the cybersecurity risks associated with public companies. Additionally, the rules encourage public companies to enhance their cybersecurity and risk posture. However, concerns have emerged regarding exactly which incidents to report and what information should be disclosed.
One of the main challenges is determining when an incident is considered “material,” which means it can have a significant impact on a company’s financial position, operations, or customer relationships. The new rules require companies to create a mechanism to determine the materiality of a security incident. This task is deceptively difficult for several reasons.
Firstly, establishing a group of senior managers to regularly make materiality determinations is a bureaucratic and logistical challenge. Secondly, security incidents often look different over time as additional analysis is conducted. Therefore, if a committee analyzes a data breach shortly after its discovery, they may make a decision based on incomplete and flawed preliminary data.
This presents a dilemma for enterprise executives. They can choose to report an incident as a material security event quickly, risking the possibility that it is later deemed non-material. Alternatively, they can wait for forensic analysis and examination of backup files to provide a more accurate picture, but this may lead to accusations of untimely disclosure.
Additionally, the SEC’s four-day disclosure timetable poses challenges. Preparing an SEC filing requires Security Operations Center (SOC) staff to compile specific incident details, which then needs to be reviewed by various departments, such as Legal, investor relations, and the CEO. This process can take longer than four days.
Determining what constitutes a material incident requires careful consideration by corporate leadership. Factors to consider include the organization’s verticals, geographies involved, nature of operations, and the type of attackers and attacks the business is likely to attract. Each company will have its own unique considerations in determining materiality.
Another challenge is defining incidents. Security professionals and lawyers have different definitions of “data breach.” Lawyers consider a breach to occur when data is accessed, exfiltrated, or modified/deleted. On the other hand, security managers view any unauthorized access to protected areas as a breach. The SEC seeks disclosure of any security incident, which could include DDoS attacks that might not be considered data breaches.
The SEC has also carved out an exemption regarding the specific technical information about a company’s response to an incident or its cybersecurity systems. While this exemption protects ongoing investigations and potential vulnerabilities, it may limit the meaningful information provided to investors and potential investors.
Experts in the cybersecurity field, such as Mark Rasch and Michael Isbitski, have raised concerns about the potential flood of disclosure filings and the lack of clear definitions for incidents. They worry that companies may provide vague and speculative comments that are not valuable to investors.
Determining which incidents are material will likely require the involvement of a management committee. However, relying solely on SOC staff to make this determination could undermine the purpose of creating a committee. The committee needs to provide clear guidance to the SOC and establish what information they want to know.
In conclusion, while the new cybersecurity disclosure rules aim to improve transparency and enhance cybersecurity practices, challenges remain regarding incident reporting and determining materiality. Companies must carefully consider the specific context of their business and work with their management committees and SOC teams to provide meaningful and valuable information to investors while protecting ongoing investigations and potential vulnerabilities.