Cloud Hosting

Head over to our on-demand library to view sessions from VB Transform 2023. Register Here

The Securities and Exchange Commissions (SEC) has issued a landmark ruling on cybersecurity disclosure for public companies.

Starting as early as December 15, public enterprises will now be required to disclose material incidents within four days and reveal how they detect and address them while describing board oversight.

Not surprisingly, the response has been all over the board, with some calling it a step in the right direction regarding transparency and communication, while others describe it as a rear-view tactic.

Still, others argue that it could open companies up to more risk, not less, and many point out that four days isnt nearly enough time to confirm a breach, understand its impact and coordinate notifications.

VB Transform 2023 On-Demand

Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.

Furthermore, theres umbrage with the vagary of the wording around material incidents.

If the SEC is saying this will be law, they need to be very specific with what they define as material impact, said Tom Guarente, VP of external and government affairs at cybersecurity company Armis. Otherwise, it is open to interpretation.

The ruling is intended to increase visibility into the governance of cybersecurity and put greater pressure on boards and C-suites, according to the SEC. Providing disclosure in a more consistent, comparable and decision-useful way will benefit investors, companies and the markets connecting them, the agency says.

Per the new rules, public companies must:

The final rules will become effective 30 days following publication in the Federal Register and disclosures will be due as soon as December 15.

Going forward, legal teams will need to consider what might be material in all sorts of scenarios, said Alisa Chestler, chair of the data protection, privacy and cybersecurity team at national law firm Baker Donelson.

For example, she pointed out, a breach that impacts the supply chain could be material after one day or three. Or, maybe theft of intellectual property has occurred and while it is material, does it impact national security and therefore merit a delay?

Materiality will be very much based on cyber and operations, she told VentureBeat.

However materiality is defined, the optimal outcome is that notifications will not only protect investors and consumers but inform collective learning namely, that public companies and other entities glean actionable lessons learned, said Maurice Uenuma, VP and GM at data erasure platform Blancco.

If these breach notifications just become more noise for a world becoming numb to the steady drumbeat of breaches, the effort wont yield much benefit, said Uenuma, who is also former VP of Tripwire and The Center for Internet Security.

This isnt just an issue for public companies, experts emphasize.

Its very important to realize that while this law is directed at public companies, its really going to trickle down to all companies of all sizes, said Chestler.

She pointed out that public companies are reliant on many smaller software and supply chain companies, and a cyberattack at any point along that chain could have a material impact.

Contractually, public companies will need to start to think about how they can flow down properly for their own protection. She said this could mean implementing vendor management programs instead of just vendor procurement programs and regular agreements and contract re-evaluations.

This means that private companies should be closely watching developments so they can be prepared for increased scrutiny of their own operations.

The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days, said George Gerchow, CSO and SVP of IT at cloud-native SaaS analytics company Sumo Logic.

As such, they will have to address and likely revise how they discover potential vulnerabilities and breaches and reporting mechanisms.That is, he posited, if a security team discovers the breach, how do they report it to the SEC and who does it the CISO, general council, a cybersecurity working group or someone else within the organization?

Finally, having cybersecurity presence on board is critical, and its time for CISOs to begin preparing themselves for board positions and for companies to position qualified CISOs on their boards, he said.

Bridging the divide between CISOs and boards starts with a two-way discussion, emphasized David Homovich, solutions consultant in the office of the CISO at Google Cloud.

Security leaders should regularly brief board members and provide them an opportunity to ask questions that help them understand the security management teams priorities and how those align with business processes, he said.

CISOs would do well to avoid focusing on one specific cybersecurity issue or metric that can often be complex and difficult to understand. Instead, they should engage at a broad enterprise-wide risk management level where cybersecurity risk can be contextualized and cybersecurity challenges can be made more digestible and accessible.

For instance, techniques like scenario planning and incident analysis help place an organizations risks in a real-world context.

Board involvement can be challenging, as board members often do not have the in-depth expertise to closely direct the management of that risk, said Homovich.

Even if a board member has relevant experience as a CIO, CTO or C-suite role, it can still be a struggle because they are not directly involved in day-to-day security operations.

A boards understanding of cybersecurity is more critical than ever, he said, pointing to surges in zero-day vulnerabilities, threat actor groups, supply chain compromises and extortion tactics designed to hurt company reputations.

We predict that boards will play an important role in how organizations respond to these trends and should prepare now for the future, he added.

Homovich pointed out that the majority of large companies particularly those in highly regulated industries will not need to dramatically shift their approach to board oversight. Instead, there will likely be a significant adjustment on the part of small-to-medium-sized public companies.

He advised CISOs to immediately engage their C-Suite counterparts and board members and ask questions such as:

CISOs should revisit their management framework and ensure it addresses five key areas: current threats; an explanation of what cybersecurity leadership is doing to mitigate those threats; examples of how the CISO is testing whether mitigations are working; the consequences if those threats actually happen; and risks that the company is not going to mitigate, but will otherwise accept.

But collaboration isnt just important internally security leaders should be robustly engaging outside experts through such groups as the CISO Executive Network, Chestler said. This can help build camaraderie and share best practices, because they continue to evolve.

Indeed, in todays threat landscape, technology isnt enough, agreed Max Vetter, VP of cyber at training company Immersive Labs. Enterprises must also invest in cyber resilience and peoples preparedness for attacks.

People need to know how to work together to mitigate an attack before one actually occurs, said Vetter. With a people-centric cybersecurity culture and approach, we can make the most of our investments while measurably reducing risk.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

See more here:
SEC controversial cybersecurity disclosure warning: What ... - VentureBeat