Friday, September 1, 2023

7 Flaws Of The SEC Cyber Rule You Need To Know

 


Today, we are seeing a plethora of new mandates and regulations come out as it relates to Cybersecurity. Of course, the grandaddy’s of them all are still the CCPA, GDPR, HIPAA, HiTech, etc.  But now, the various agencies of the Federal Government are now seriously ratcheting up their requirements in which a company must disclose to authorities that they have been impacted by a security breach, no matter what it is.

The latest agency to do this now is the SEC.  Back in March 2022, they set forth a new regulation that all companies must report to them if they have ben hit within a four-day span.  This new “Rule” is called the “Proposed Rule for Public Companies”, also known as the “PRPC”. 

More information about this can be seen directly at the SEC site, and the link following that:

https://www.sec.gov/news/press-release/2022-39

https://www.darkreading.com/edge/sec-adopts-new-rule-on-cybersecurity-incident-disclosure-requirements

From the outset, this sounds like a good thing to have, as many businesses in Corporate America are reluctant to do this, for many reasons.  One of the key ones is that they simply do not want to lose customers and business if they disclose it publicly.  But despite the good intentions of this new Rule, it is being met with a lot of resistance from the C-Suite, especially the CISOs.  Here are some of the reasons why:

Ø  The Board of Directors must have a certain level of Cyber expertise, so they can understand and grasp fully what has happened, and how to move forward.

 

Ø  Although 4 days is a quick time period, it puts enormous pressure on the CISO to collect all of the needed information and data that has to be reported to the SEC.  In fact, it often takes much longer than that, because of the need to conduct a thorough forensics investigation.

 

Ø  Because of this short time period, the stuff that is transmitted to the SEC may not be accurate, as findings and conclusions can be an ever-changing process.

 

Ø  At the current time, the GDPR requires that companies report any data leakage issues (those primarily involving PII datasets) within a 3-day time frame (which is 72 hours).  This is a much more manageable task, as the scope of what needs to be disclosed is much narrower.  But with the new SEC Rule, companies have to disclose if the security breach has been “material” in nature.  But what exactly defines “material”?  Obviously, it is a very subjective term to define for any business or CISO.

 

Ø  Companies will also have to report if a security breach has been caused because of a culmination of vulnerabilities that have not been corrected in the past.  The main question here is how one do all of this in a 4-day timespan?  Again, a detailed forensics investigation is needed in order to determine all of this.  And this can take weeks, even months to fully conduct.

 

Ø  Under this new Rule, the SEC will now require companies to disclose any changes or updates to the security policies that they have made as a result of a previous security breach.  The main intent here is to see just how proactive the business in question has been in implementing the needed controls to make sure that the same threat variant does not impact again.  But the question that many CISOs have is how will this exactly be measured?  Will there be a set of best practices and standards that companies have to adhere to? Any changes to a security policy is considered to be an “intent” in nature.  Meaning, they are supposed to have a directive action and result, but these are not enforced all the time.

 

Ø  To me, this does not make much sense.  Apparently, the SEC will require that these 4-day disclosures have to be included and reported in the quarterly earnings report.  Many people are wondering about this, what does a series of financial statements have to do with a security breach?  Obviously, there will be a need to disclose the financial impacts of a security breach, but is it really necessary to talk about the mechanics of the threat variant?  This is usually the forum for the CFO to handle, so now will the CISO have to be involved as well?  This is a crucial question that needs to be answered.

 

My Thoughts On This:

The good news here is that just recently, the SEC broadened the scope of just how much Cyber expertise the Board of Directors needs to have.  Instead, all they require now is the process in which they interact with CISOs and their IT Security teams to see how they are keeping up with the Cyber Threat Landscape.

But there still is a huge gap that exists here.  For example, according to a recent survey found that almost 50% of the Board of Directors have extremely minimal contact with their CISOs.  More details about this study can be seen at the link below:

https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

Although there are merits to the pushback on this new Rule from the SEC, overall I am in favor of it.  It’s about time that Corporate America held responsible for the Cybersecurity that they need, and to inform people in time as to what corrective actions they can take in case they have become a victim.  If these stringent laws do not exist, nobody will report any security breaches.

And the victims will be the last to find out, and by that time, it will be too late to do anything.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...