In April of this year the proposed amendments to the cybersecurity disclosure rules are expected to be finalized. These rule changes will have change the way companies report cybersecurity in two main areas. First, it will change when and how companies report security incidents. Second, it will require companies to report how they manage and govern cyber security risk. Let’s dive into how these changes will impact companies, the overall industry and how CSOs can help their businesses navigate the changes.
Changes To Incident Disclosure Requirements
The first major change will standardize how companies disclose cybersecurity incidents. These changes will require companies to report a material incident after four business days and provide updates to past incidents for up to two years after. The effects of these changes are expected to make it easier for consumers and investors to evaluate the impact of a security incident and ultimately how well a company deals with security incidents over time.
The long term results of these incident disclosure requirements may mean publicly traded companies begin to see impact to their stock prices as more material incidents are disclosed. The loss in shareholder value will ultimately result in companies investing more in their cybersecurity programs to better handle incidents or recover more quickly with the goal being to maintain investor or consumer trust. Also, requiring companies to disclose incidents within a specific time period may initially result in more lawsuits, which in the long run may force companies to invest more in security to reduce or manage risk.
For a CSO, I recommend evaluating your existing incident response and disclosure plan. Discuss with your legal and finance team about the criteria for declaring an incident, what constitutes a material incident and how to report this information within the SEC timelines. Four business days is a tight timeline for determining what happened, how it happened, the scope of what happened and accurately reporting this within the standard SEC forms. It will also be challenging to comply with the new SEC rules, while at the same time notifying the appropriate partners, customers or consumers so they aren’t learning about it first from the SEC disclosure. This may result in businesses rushing out the disclosure without all of the details, which could erode investor and customer confidence. Or, it could result in the company changing their rules for determining a “material” incident, which might buy them some time to delay the disclosure for more accurate reporting. This will be a fine line to walk and I highly recommend the CSO partner with the Chief Legal Counsel and Chief Financial Officer so they don’t run afoul of the new rules.
Lastly, a CSO will also want to help their organization navigate the risks of these disclosures. It is possible that a company will still be remediating or recovering from an incident when they are required to disclose the incident in their SEC forms. This could disclose details about the incident, the attack and vulnerabilities in a public forum, which could invite follow on or copy cat attacks. A CSO will need to guide their organization how to manage these disclosure risks, while dealing with the ongoing incident. I strongly recommend you run your executive staff through one or more tabletop exercises that runs through various scenarios you may encounter.
Disclosure Of Cyber Security Risk Management & Governance
The second major change will require companies to disclose how they are managing and governing security risk. This will require companies to provide details into their security strategy, security policies and criteria for selecting third party service providers. It will also require disclosure of management’s role and qualifications for assessing and managing security risk.
Overall, I think these changes will have a positive effect on the CSO role. Organizations that previously gave lip service to establishing, funding and governing a comprehensive security program will now be evaluated by investors and consumers in a standardized public forum. Stiff penalties will follow in terms of loss of market value, loss of consumers or even fines from regulatory agencies if organizations fail to adequately meet “industry standard” or investor expectations for security programs.
Additionally, CSOs can now “strut their stuff” by continuing to build, document and lead comprehensive security programs that measure and manage risk. These programs will stand as evidence to the investment and preparedness of the organization to deal with security incidents and manage risk. The new SEC disclosure requirements will allow investors to evaluate and ultimately reward organizations that are meeting expectations for security maturity and resiliency.
Requiring boards and executive management (named officers) to disclose their role and qualifications for assessing and managing security risk will also have a positive impact in how CSOs and security organizations are treated throughout the company. First, it will become common place for organizations to seek seasoned security veterans for a position on their boards. There will be an initial rush to find appropriate talent and in the long term these board positions will become a new career path for former CSOs and security executives.
Second, the addition of security experience to boards will mean CSOs have an ally at the senior levels of the company who understands risk and can help drive conversations around security that would otherwise be glossed over or dismissed. For boards that don’t hear directly from the CSO, security minded board members can explore security topics with their representatives (like the CTO, CIO or Chief Legal Counsel). The end result will elevate security and risk as a topic of importance within board rooms, beyond the current discussions.
Third, supply chain security will continue to receive focus now that organizations will be required to disclose their selection and evaluation criteria for third party suppliers. Publicly traded companies will seek to identify and manage this risk through comprehensive security evaluations of third parties or even developing comparable capabilities in house. Publicly traded companies will also look to limit their liability from third party suppliers and so I expect increased contract language to meet specific security requirements and penalties passed on to the third parties as a result of security incidents caused by them.
Possible Ripple Effects
Overall, I consider these new rules to be a good thing. They will elevate the conversation of cybersecurity risk to the board level and require companies to prove their maturity through standardized disclosures that investors can evaluate. However, there will be some interesting ripple effects as a result of these rule changes.
First, as organizations begin to comply with these rules and disclose aspects of how they govern cybersecurity there will be a chaotic period where publicly traded companies seek to find the line between disclosing too much information and not enough. The industry as a whole will begin to evaluate these disclosures for what is considered acceptable or “good” and this will eventually drive the industry to a steady state where the disclosures become normal or standard.
Second, the third party evaluation and disclosure requirements will have a trickle down effect to the third party vendors (both publicly traded and private companies) because they will be forced to meet the elevated security standards of the companies they provide products or services to. Third party vendors will also need to worry about any new legislation coming out that will hold them liable for security issues in their products and services as specified in the new National Cybersecurity Strategy. This will ultimately raise the bar or maturity for the entire industry, which is a good thing.
Lastly, I expect a niche industry of board level security certifications to pop up that certify executives for board level service. Service on a board as a certified security representative will also be the new resume builder or LinkedIn credential that senior security executives aspire to in the later stages of their career. This may also become an area the SEC chooses to define in the future, such as number of years of experience required to serve on a board, credentials required, certifications, etc.
Wrapping Up
Overall, the new SEC Cybersecurity rules look to strengthen investor and shareholder confidence in the way a company is handling cyber risk or increase transparency around how the company is handling events over the past 2 years, which could become material in how investors view the health of the company. In short, cyber maturity will become another criteria for how to evaluate the performance of a company. Ultimately, these rule changes will elevate the maturity of security across the industry and enhance investor and consumer trust in a company’s ability to manage cyber security risk.
Link to Proposed Rule Changes