The recent announcement by the Securities and Exchange Commission (SEC) that they want to be notified about any material security incidents within four days has left chief information security officers (CISOs) grappling with the definition of a material security incident. While the focus is on cybersecurity threats that could potentially affect a company’s information systems, CISOs are left wondering if security vulnerabilities should also be reported.
The SEC’s final rule defines a cybersecurity threat as any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of a registrant’s information systems. However, the emphasis is on the process rather than individual vulnerabilities. This raises the question of whether security vulnerabilities need to be reported under the new SEC rule. If a security flaw has been fixed, there is no ongoing risk. Furthermore, the SEC has provided an exception for reporting if disclosing the vulnerability would weaken a company’s cybersecurity posture.
But the issue is not as straightforward as it seems. According to Andy Ellis, operating partner at YL Ventures and former CISO at Akamai, the focus should be on the outcome of a breach that could exploit the vulnerability, rather than the vulnerability itself. If a breach using a particular vulnerability would have disastrous consequences, then it can be considered material.
Ellis suggests that it’s more about the company’s risk management process and procedures. He believes that instead of just considering the presence of vulnerabilities, the SEC should have required companies to disclose risk management metrics such as the number of vulnerabilities patched and how they were detected and reduced.
Nick Vigier, former CISO at Talend, adds that there are always gaps and potential issues in cybersecurity, and it’s impossible to enumerate every possible issue. Some attacks that could exploit security vulnerabilities are extremely unlikely. Therefore, the difficulty of actually remediating vulnerabilities often outweighs the policy requirements.
Justin Greis, a cybersecurity consultant at McKinsey, raises concerns about the challenges of remediation, especially when it involves large-scale patching that cannot be automated. He emphasizes the need for enterprises to have a strict process for evaluating vulnerabilities and creating a priority list for repairs, considering both security and business needs. Greis suggests resolving critical flaws within seven days, high-vulnerability ones within two weeks, and low-severity ones within 30 days.
The complexity increases when considering cloud environments, as companies rely on cloud vendors to perform some of the repairs. Andy Ellis recalls vulnerabilities at Akamai that took years to resolve because all customers had to deploy the fix first. The challenges of remediation in the cloud further complicate CISOs’ decision-making process.
The predicament that CISOs face is that if an attacker exploits a security vulnerability and a data breach occurs, reporting it as a material security incident can lead to shareholder frustration and lawsuits. However, fixing every vulnerability immediately is often not feasible due to resource limitations. Mark Rasch, a cybersecurity enforcement attorney, states that zero risk is not a requirement under the SEC rules. CISOs need to consider the nature of the vulnerability, the likelihood of an exploit being developed, the skill set required, the potential for harm, and the costs involved in mitigation.
In conclusion, the SEC’s new rule has left CISOs grappling with the definition of a material security incident, particularly when it comes to security vulnerabilities. The focus should be on the potential outcome of a breach that could exploit the vulnerability, rather than the vulnerability itself. Risk management processes and procedures, as well as the ability to assess and prioritize vulnerabilities for remediation, play a crucial role in determining what should be reported under the new SEC rule. CISOs must strike a balance between disclosing relevant information and managing the challenges of remediating vulnerabilities within resource limitations.