Ravi Ithal is cofounder and Chief Technology Officer at Normalyze, a data-first cloud security provider for the digital enterprise.
getty
Public companies will now face a new chapter in the visibility of their cybersecurity posture and breaches of their IT environments. On July 26, 2023, the Securities and Exchange Commission (SEC) approved a Final Rule on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies. It requires public companies to disclose posture annually and cyber incidents within four days after determining an incident was material. I welcome this rule and, in this blog, will share implications for compliance.
What the Final Rule is About
The Final Rule increases transparency for cybersecurity readiness and response by public companies. As cybersecurity threats and attack surfaces continue to grow—especially as more data moves to the cloud—it’s important for companies to maintain clear and consistent processes and policies to protect their data and the systems, applications and networks that contain it.
The new mandate for public disclosure of cybersecurity posture and material breaches is like the existing SEC mandates for disclosing other material weaknesses that directly impact the safety of shareholders' investments in affected public companies.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. Ensuring that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
Two New Requirements for Disclosure
The heart of this Final Rule entails two elements. The first is an annual disclosure requirement of material information regarding a public company’s cybersecurity risk management, strategy and governance. Think of this as a “posture” requirement to help investors understand if a company is following good cybersecurity hygiene. The SEC assumes that investors are keenly focused on knowing if a public company’s posture is resilient to modern cyber threats and the resulting fallout from a breach.
The second element is to disclose a cybersecurity incident within four business days of determining if the incident is “material.” Disclosure is required on SEC Form 8-K of “any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant.”
To clarify the timing of disclosure, assume a scenario where a company discovered and confirmed that a cyber incident occurred on August 7. This discovery does not mean disclosure must automatically occur four days later. The trigger point is a company’s determination that the incident was material. The SEC defines material as if “there is a substantial likelihood that a reasonable shareholder would consider it important." So, in this scenario, if materiality was determined two weeks after the discovery, on August 21, that’s when the four-day clock starts ticking. In this scenario, the disclosure must occur within four business days by August 25.
Critics of incident disclosure say it will reveal valuable information to the attacker by revealing the awareness of defenders that an attack is in motion. The SEC’s response was to shift disclosure from listing technical information related to the incident. The Final Rule focuses on how an incident impacted the affected company. Disclosure shall include the “material aspects of the nature, scope and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."
In some cases, the four-day disclosure requirement may be delayed. According to the SEC, “disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the [Securities and Exchange] Commission of such determination in writing.”
Critics also point out potential harm to a company caused by disclosure—namely, the possible fallout of artificial dips in public stock share prices. While this is a hypothetical scenario, it could be plausible. This point and others have been vigorously debated since the rule was first proposed 17 months ago in March 2022. The Final Rule barely passed with a 3:2 vote along party lines. Most of the comments, however, focused on the issue of incident materiality.
Determining If An Incident Is Material
It’s heartening to see the Final Rule is focused on material incidents, with the hope that they lead to a reduction in incidents and not merely an additional layer of compliance requirements. And with cybersecurity expertise becoming more common on corporate boards, albeit slowly, these new rules align with how corporate governance is evolving.
With that said, determining if an incident is material may take a company some time. Not too much time, however, as the Final Rule says determination must occur “without unreasonable delay.” It states that even if a company’s investigation is incomplete, it may know enough before its conclusion to determine if the incident was material—such as a ransom demand for the company’s “crown jewels” data.
The potential for public disclosure elevates the importance of breach detection and the processes that support it. Detection tools need to identify anomalous activity around sensitive data: having a complete and up-to-date understanding of all sensitive data, wherever it is, and wherever it is moving within and across systems and applications in on-premises and cloud environments. Security tools also need the context of user access and attack paths. The context of the entire environment is critical in focusing security teams on protecting the most valuable data.
Concluding Thoughts
I believe the intent of the SEC’s Final Rule for public disclosures of posture and material incidents is a positive step for elevating the strategic importance of cybersecurity. Security professionals have long hoped for Board-level attention. Well, be careful of what you wish for! Board attention is now front and center, and security leaders will soon be under the microscope for helping their companies ensure compliance with the Final Rule. Hopefully, your response will be, “Not to worry, we’re good on that!”
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
