Today, we are seeing a plethora of new mandates and regulations
come out as it relates to Cybersecurity. Of course, the grandaddy’s of them all
are still the CCPA, GDPR, HIPAA, HiTech, etc.
But now, the various agencies of the Federal Government are now seriously
ratcheting up their requirements in which a company must disclose to
authorities that they have been impacted by a security breach, no matter what
it is.
The latest agency to do this now is the SEC. Back in March 2022, they set forth a new
regulation that all companies must report to them if they have ben hit within a
four-day span. This new “Rule” is called
the “Proposed Rule for Public Companies”, also known as the “PRPC”.
More information about this can be seen directly at the SEC
site, and the link following that:
https://www.sec.gov/news/press-release/2022-39
From the outset, this sounds like a good thing to have, as
many businesses in Corporate America are reluctant to do this, for many reasons. One of the key ones is that they simply do
not want to lose customers and business if they disclose it publicly. But despite the good intentions of this new
Rule, it is being met with a lot of resistance from the C-Suite, especially the
CISOs. Here are some of the reasons why:
Ø
The Board of Directors must have a certain level
of Cyber expertise, so they can understand and grasp fully what has happened,
and how to move forward.
Ø
Although 4 days is a quick time period, it puts enormous
pressure on the CISO to collect all of the needed information and data that has
to be reported to the SEC. In fact, it
often takes much longer than that, because of the need to conduct a thorough
forensics investigation.
Ø
Because of this short time period, the stuff
that is transmitted to the SEC may not be accurate, as findings and conclusions
can be an ever-changing process.
Ø
At the current time, the GDPR requires that companies
report any data leakage issues (those primarily involving PII datasets) within
a 3-day time frame (which is 72 hours).
This is a much more manageable task, as the scope of what needs to be
disclosed is much narrower. But with the
new SEC Rule, companies have to disclose if the security breach has been “material”
in nature. But what exactly defines “material”? Obviously, it is a very subjective term to
define for any business or CISO.
Ø
Companies will also have to report if a security
breach has been caused because of a culmination of vulnerabilities that have
not been corrected in the past. The main
question here is how one do all of this in a 4-day timespan? Again, a detailed forensics investigation is
needed in order to determine all of this.
And this can take weeks, even months to fully conduct.
Ø
Under this new Rule, the SEC will now require companies
to disclose any changes or updates to the security policies that they have made
as a result of a previous security breach.
The main intent here is to see just how proactive the business in question
has been in implementing the needed controls to make sure that the same threat
variant does not impact again. But the
question that many CISOs have is how will this exactly be measured? Will there be a set of best practices and
standards that companies have to adhere to? Any changes to a security policy is
considered to be an “intent” in nature.
Meaning, they are supposed to have a directive action and result, but
these are not enforced all the time.
Ø
To me, this does not make much sense. Apparently, the SEC will require that these 4-day
disclosures have to be included and reported in the quarterly earnings
report. Many people are wondering about
this, what does a series of financial statements have to do with a security breach? Obviously, there will be a need to disclose the
financial impacts of a security breach, but is it really necessary to talk about
the mechanics of the threat variant?
This is usually the forum for the CFO to handle, so now will the CISO
have to be involved as well? This is a
crucial question that needs to be answered.
My Thoughts On This:
The good news here is that just recently, the SEC broadened
the scope of just how much Cyber expertise the Board of Directors needs to
have. Instead, all they require now is
the process in which they interact with CISOs and their IT Security teams to
see how they are keeping up with the Cyber Threat Landscape.
But there still is a huge gap that exists here. For example, according to a recent survey found
that almost 50% of the Board of Directors have extremely minimal contact with their
CISOs. More details about this study can
be seen at the link below:
https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity
Although there are merits to the pushback on this new Rule from
the SEC, overall I am in favor of it. It’s
about time that Corporate America held responsible for the Cybersecurity that
they need, and to inform people in time as to what corrective actions they can
take in case they have become a victim.
If these stringent laws do not exist, nobody will report any security
breaches.
And the victims will be the last to find out, and by that
time, it will be too late to do anything.
No comments:
Post a Comment