Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience.
The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on publicly traded companies. The full rule can be found here.
The SEC has three missions:
- Protect investors.
- Maintain fair, orderly, and efficient markets.
- Facilitate capital formation.
What does the rule say? This rule (first of three) clearly maps to the first mission while setting the stage for future rules addressing the remaining two missions.
- Publicly traded companies’ must disclose material information regarding their cybersecurity risk management, strategy, and governance practices yearly as part of their 10k filing.
- Publicly traded companies must report, via an 8k, material cybersecurity incidents within four business days of determining the incident is material. This timeline may be extended IF federal law enforcement determined the disclosure would harm national security or pending investigations.
The SEC has been issuing Cybersecurity guidance since 2011.
Why 10k and 8k? Simple, 10ks and 8ks are the well establish, long standing mechanism to report similar non cybersecurity related matters. Both 10ks and 8ks have been required since 1934. Requiring cyber to use these reporting mechanisms is simply a recognition of cyber as a business imperative.
What is material? Material is a cornerstone of SEC regulations going back to just after the Great Depression. The U.S. Supreme Court held an item is material if there is “a substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”[i]
Sounds fluffy? Sort of. There is case law and precedent. If you are part of a publicly traded company, you should already have a policy and a procedure to determine and report materiality. The best next step is to find it, identify the owner, and meet with them. This is your opportunity to help them understand cyber, and for you to understand the business.
Harmonization and Consistency. The proposed rule is very consistent with other rules, regulations, standards, and legislation. The main difference is reporting within four business days instead of seventy-two hours seen other place and the use of 8Ks and 10Ks as the reporting mechanism.
How does this alter incident response plans? Work with senior leadership to understand what information they need and when. Remember, ignoring a materiality decision will only get you in trouble. Spend time educating your senior leadership on cyber and collaborate with them to craft criteria and milestone for communication with senior leadership and the board. Existing policies, procedures, and Incident Response (IR) plans will need to be updated.
Reduce likelihood and impact; detect fast, recover quicker. Incidents will continue to happen. You will avoid a lot of problems and your life will be easier by detecting faster, recovering quicker, and limiting the Blast Radius. Looking at the numbers, internal teams only detect about one third of all incidents and it takes almost nine months to identify the typical incidents. The real number is much higher when we remove the incidents where the attacker makes us aware of the incident.
Who Detects a Breach?
- 33% Internal teams and tools
- 27% Attacker (e.g., Ransomware)
- 40% Benign third parties and outsiders
IBM Cost of Data Breach ReportGlobally, across sectors:
- 204 days to identify and 73 days to contain a breach.
Financial sector:
- 177 days to identify and 56 days to contain.
What’s Next? The recently passed cyber rule applies to publicly traded companies and the SEC’s first mission of protecting investors. A second rule is inflight that applies to ALL market participants – publicly traded and privately held. That proposed rule and submitted comments can be found here. There has been some discussion of a third rule to address the SEC’s third. So far, nothing has been posted for public comment.
[i] TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); see Basic, Inc. v. Levinson, 485 U.S. 224 (1988) (as the Supreme Court has noted, determinations of materiality require “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him….” TSC Industries, 426 U.S. at 450); see also FASB, Amendments to Statement of Financial Accounting Concepts No. 8—Conceptual Framework for Financial Reporting—Chapter 3, Qualitative Characteristics of Useful Financial Information (Aug. 2018), available at https://fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1176171111614; see also SAB No. 99.
