The newly instated cyber incident reporting rules by the US Security and Exchange Commission (SEC) are causing concerns among corporate executives, particularly CISOs, who are responsible for compliance and disclosure. The rules require publicly traded companies to disclose cyber incidents within four business days of determining their materiality to the company’s bottom line. This puts the task of judging the materiality of an incident in the hands of the CISOs, which can be a challenging task to complete in a timely manner.
CISOs are also expected to ensure that the C-suite and board are informed about any cyber incidents. Failure to do so can lead to legal consequences, as seen in the case of the Uber ransomware attack cover-up earlier this year. A recent survey by Proofpoint reveals that the majority of CISOs are already concerned about liability when it comes to incident response and governance compliance, and the new SEC rules are adding to their worries.
Ryan Witt, VP of industry solutions at Proofpoint, acknowledges the difficulties faced by CISOs in their role. He says, “The CISO role has never been easy, and it looks a lot less appealing when you add responsibility to the pressure, the on-call hours and the stress.” However, Jeff DiMuro, deputy CISO at IT firm ServiceNow, suggests that for some companies, the SEC’s new rules may not bring significant changes. DiMuro states, “The SEC rule we think just memorialized a demarcation of the four-day reporting rule, but these are things we have to do anyway as CISOs for a publicly traded company.”
Despite this, many CISOs are expressing their concerns and requesting additional liability protection as part of their job. Uri Dallal, managing director at professional services firm Aon, explains that when the role attracts litigation similar to CFOs and CEOs, it is common for CISOs to question their coverage under existing policies and seek affirmative coverage.
As the SEC’s rules come into effect, early responses to cyberattacks are shedding light on the challenges faced by companies. The cyberattack that disrupted operations at Clorox was one of the first major incidents to fall under the SEC rules. Clorox has issued multiple statements, including Forms 8-K, since the incident was disclosed. The company faces the challenge of keeping reporting current as the investigation unfolds and determining the material impact of the incident on the company.
The incidents involving MGM and Caesars also serve as examples for compliance. These companies are subject to additional regulatory oversight by the Nevada Gaming Control Board, which requires casino operators to establish effective cybersecurity measures. In the event of an incident with a material loss of control or compromise, casino operators must disclose the incident to the board within seventy-two hours and conduct an investigation and remediation.
Overall, the SEC’s new cyber incident reporting rules are putting pressure on CISOs to effectively assess the materiality of cyber incidents and ensure timely disclosure. These rules have prompted concerns among CISOs about their liability and have led to an increased demand for additional liability protection. As companies continue to navigate these rules, early responses to cyberattacks offer insights into the challenges faced by companies in terms of reporting and compliance.