In the United States, the regulator the Securities and Exchange Commission (SEC) has adopted rules requiring registrants to disclose cyber incidents against them, and to detail annually their cyber risk management, strategy, and governance. Foreign private issuers will have to make comparable disclosures.
SEC Chair Gary Gensler said: “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Comments
Husnain Bajwa, VP of Product Strategy at cyber authentication product company Beyond Identity, described the ruling as a step in the right direction. “Requiring prompt disclosure of data breaches highlights the necessity of proactive accountability that begins long before a breach has occurred – especially when they are highly foreseeable. It’s clear that too many CISOs learned the wrong lessons from Uber’s cover-up and subsequent CISO conviction because despite the real challenges of cybercrime prevention, accountability for the custody of sensitive data remains paramount.
“When it comes to prevention, failure to implement phishing-resistant multi-factor authentication is essentially cyber-malpractice at this point. The technology is readily available, and the risk of a data breach is significantly decreased by using even the weakest form of strong authentication. All public companies and their CISOs need to understand the real and imminent threats posed to their credentials and digital crown jewels, such as the Initial Access Brokers market, and take these new regulations as an opportunity to right-size their security tools, reduce operational burdens, and improve overall user experience.”
And Paul Brucciani, Cyber Security Advisor, WithSecure, said: “Companies that have been breached would do well to focus first on showing a duty of care to their customers rather than the SEC. Class actions and a tattered reputation could be more damaging than a fine. General counsels should advise their colleagues that a breach is not always a breach – calling a security incident a “data breach” will not trigger SEC obligations. Until you are certain a breach has taken place, refer to it as an incident. Consider also using two investigation teams: one commissioned by external counsel to conduct a forensic investigation under legal privilege to educate the external counsel about aspects of the breach so that counsel can provide informed legal advice to its client; and if necessary, a second team to support the incident response team in: investigating and fixing the data breach.
“Given the SEC’s quest for transparency, executive directors that manage cyber risk should ponder the following advice:
1. Favour discretion over rules: cyber security based on compliance to rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which the cyber threat has moved on, and they reflect the minimum capability that standard-setters consider to be generally appropriate, rather than an aspirational capability. Independently scrutinise standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to your organisation.
2. Have ‘skin in the game’: make those responsible for managing risk define the cyber risk management strategy: avoid the mistakes made by financial sector regulators in for example, allowing banks’ capital requirements to be set by the ratings agencies. Not only are ratings agencies not responsible for managing banking risk, but they are also susceptible to market pressure. It is they who set disastrously low risk ratings to new and lethal financial products like collateralised debt obligations which caused the 2007 financial crisis. Execs need to have ‘skin in the game’.
3. Adopt a barbell security strategy: a combination of high and low-risk management strategies, avoiding the middle ground. Protect the maximum extent possible IT systems that host your critical data and if necessary, take more risk with the rest of your network by focusing on resilience rather than security.
4. Rehearse what you would do when a security incident happens: periodic testing of your security incident response fitness effectively vaccinates your business against a breach. Train your incident response team to control the language they use when they communicate as it could be used in court as evidence. The most resilient companies are those that have learned how to operate without internet access or even without IT. Make provisions for re-building your IT from scratch.”
