At a glance.
- SEC adopts new cybersecurity rules for publicly traded companies.
- New Zealand to establish one lead cybersecurity agency.
- Advice for administering the US proposed AI Bill of Rights.
- White House names nominee for new national cyber director.
SEC adopts new cybersecurity rules for publicly traded companies.
The US Securities and Exchange Commission (SEC) today voted to adopt new rules governing how publicly traded companies will handle cybersecurity issues. Specifically, Reuters reports, companies will be required to disclose a cyber incident within four days of determining that there was likely to be a material effect on investors. (An exception was made for cases in which such disclosure might have adverse implications for national security.) Companies will also be required to render periodic reports on their efforts to identify and manage cyber threats. And, in an attempt to forestall a repetition of the 2021 "meme-stock rally," broker-dealers will henceforth have to address conflicts of interest in any use they may make of artificial intelligence in their trading.
Lesley Ritter, Senior Vice President for Moody’s Investors Service, characterized the new rules as move to bring transparency to a murky risk. “The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability. Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources. Overall, the rules are credit positive for public companies that are subject to SEC reporting requirements, as disclosures are useful to compare how companies, particularly those with elevated cyber risk, are addressing these challenges."
We also received comments from Chris Denbigh-White, CISO of data protection firm, Next DLP, who offered comment on the reporting mandates. "The recent headlines regarding the new SEC rules have centered around item 1.05, which imposes a mandate for reporting "material cyber incidents" within a strict timeline of four working days," Denbigh-White wrote. "While item 1.05 is undoubtedly a significant step towards unifying and structuring cyber incident reporting, the true power of these new rules lies in item 1.06, which seems to have been somewhat overlooked in initial press reporting. Item 1.06 goes beyond incident reporting and introduces a crucial requirement for annual attestation. In essence, item 1.05 establishes the necessary actions companies must take when facing a cyber incident, while item 1.06 emphasizes what companies should be doing continuously to avoid finding themselves in 'Item 1.05 situations.'"
The Item 1.06 mandate reminds Denbigh-White of ISO-27001. "This move towards mandating annual reporting on an organization's 'Information Security Context, Requirements, Objectives, and Scope' bears a strong resemblance to the principles found in ISO-27001, which is widely regarded as a robust information security management standard. Implementing such practices is, in my view, a positive development. These new SEC rules will undoubtedly compel organizations to reevaluate their approach to cyber risk management. They will serve to focus the minds of organisations around how they address cyber risk and ensure that focus extends to the most senior levels and most importantly ensure that this focus is maintained."
Saket Modi, CEO of Safe Security, sees an incipient rush as companies work toward compliance with the new rules. "Organizations are in a mad dash to meet these newly adopted SEC Cyber Rules, which have identified a 4 day disclosure process for companies on “material” hacks. The key word here is “material” and being able to determine what that actually means." Modi pointed out that determining materiality isn't a tirvial exercise. "Most organizations are not prepared to comply with the SEC guidelines as they can not determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels. The game needs to change to focus on protecting systems that pose the biggest material risk to business and making cyber investments that will reduce the likelihood of material risk breaches. This means businesses will have to translate bits and bytes of cyber risk into dollars and cents of 'material' business risk."
(Added, 4:30 PM ET, July 26th, 2023.) Mike Britton, CISO of Abnormal Security, also sees the rules as representing essentially a move toward greater transparency. "Increased disclosures and greater transparency is a good thing for everyone concerned with cybersecurity." How effective they'll prove, however, remains unclear. "But there are some uncertainties around how far these SEC cyber rules will go toward actually solving or exposing security incidents. For one, the rule assumes that breached organizations are aware of a material compromise, and that reporting it within the stipulated four days from discovery is timely enough. But so often, organizations experience breaches where an attacker was already inside their corporate network—sometimes for weeks or months—before they identified the attack. The SolarWinds attack is a prime example of this, but we also just saw this happen with the hack on U.S. government email accounts through a Microsoft vulnerability, where the attackers were lurking within those accounts for as long as a month before customers noticed anomalous mail activity." Materiality in particular probably requires clarification. "Secondly, the mandated disclosures are required only if the breach has a “material” impact on operations, revenues, or stock price. But without a concrete definition around what is considered 'material,' this can feel somewhat arbitrary, and may lead to some material breaches going unreported. Plus, in many cases, an organization won’t know the extent of their material damages until much later. There is a question around whether the bar should be lowered. For example, there is a case to be made for disclosing any type of breach—even if it’s a BEC attack that results in relatively lower financial loss, like in the thousands of dollars, or if there are repeated incidents. Is a single material breach any worse than attacks that are less costly, but more frequent? Organizations have a duty to be transparent with their customers and investors, so at what point do we draw the line?"
(Added, 4:45 PM ET, July 26th, 2023.) James Turgal, presently Optiv’s VP of cyber risk, strategy and board relations, but also a veteran of 22 years of service with the FBI, brought both a business and a law enforcement perspective to the implications of the new rules. “History tells us that companies have been reluctant to publicly disclose cyber breaches for fear of reputation and financial repercussions and stakeholder push back. Omissions of this nature have hindered law enforcement’s ability to catch cybercriminals and prevent similar attacks from happening to other organizations," he wrote. He thinks, however, that the new SEC rules will help incentivize more information sharing. "Now, we can feel more confident that the industry, stakeholders and law enforcement will get the information they need in a timely fashion for better decision making and faster response."
Turgal also pointed out that the SEC's regulatory move has also pulled corporate boards further into cybersecurity. "The SEC’s approval also elevates the role of the board of directors in cybersecurity and risk management. Cyber resilience can only be achieved with company-wide involvement – from the boardroom to the mailroom. So, getting corporate boards more involved in cybersecurity is a major victory form a cultural standpoint. Additionally, many board members still view security as a cost center. With more involvement in the cybersecurity program, the hope is that they’ll start to understand that cyber risk is a business risk and that their perceptions will shift to view security for what it truly is: a business enabler.”
Whether materiality receives precise definition or not, companies will need to prepare to address it, Scott Kannry, CEO and Co-Founder of Axio, points out. "By requiring companies to disclose “material” breaches within four days, companies will need to take the right steps to be prepared ahead of time." Kanry went on to outline what such preparation might look like. "To effectively comply:
- "CEOs and Boards of Directors will need to finally understand cybersecurity risk and, therefore, provide the same oversight and governance they offer to all other types of material enterprise risks.
- "In order to minimize their risk, security leaders must quickly model the potential impact (or lack thereof) of new and evolving threats within their own organization and more effectively determine if any mitigating actions should be taken.
- "All key enterprise constituents need to have a better understanding of how cybersecurity events can impact the business and become more effective at minimizing impact – and acting quickly – if an event should occur.
"All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground. By properly preparing, enterprises will not only be able to disclose breaches within the required timeline, but they and their shareholders will also have an understanding of their cybersecurity risk from a financial impact perspective for better prioritization and decision-making."
(Added, 5:00 PM ET, July 26th, 2023.) Tara Wisniewski, EVP, Advocacy, Global Markets and Member Engagement at (ISC)² agrees with the approval many have expressed of the SEC rules. “Disclosure and incident reporting of cybersecurity incidents is a positive step forward, and we encourage reporting of material cybersecurity incidents. Disclosure of these events will be useful for the public to understand the nature, scope and ramifications of material cyber incidents and the effect those incidents can and will have on both investors and customers. We acknowledge and agree that reporting material cyber security incidents is both positive for the public and for data protection." The organization also thinks four days is a reasonable deadline. "(ISC)² believes that the proposed timeframe of four business days for disclosure following an incident being determined as ‘material’ is sufficient time for an initial incident disclosure assuming a business has prepared responses to SEC disclosure requirements ahead of time and has adequate cybersecurity resources in place. This timeframe is consistent with, or more generous than, similar regimes in foreign jurisdictions." And Wisniewski also urges companies to think of compliance as an investment, not purely a cost of dealing with regulatory risk. "Investing in cybersecurity practices and protocols from a people, process and technology perspective is essential for a business to successfully maintain secure data and systems, maintain the trust of the public and the interests of stakeholders and regulators alike.”
George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic, approves of the rules as a step toward greater corporate accountability, not only to investors, but to consumers as well. "This ruling is a great step towards achieving accountability, to protect the consumers and the investor community. The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days. One thing to note is that this ruling doesn’t require the reporting of technical details, but in the event of a breach, it will inevitably come down to tech at some point—and no company is prepared for that. As companies move toward reporting readiness, they will have to address these technical details and likely revise:
- "How they discover potential vulnerabilities and breaches.
- "The company’s reporting mechanism. E.g., if a security team discovers the breach, how do they report it to the SEC and who does it? The CISO, general council, cybersecurity working group?
- "Who is on their board. Having cybersecurity presence on board is critical, and it’s time for CISOs to begin preparing themselves for board positions—and for companies to position qualified CISOs on their boards.
"While we are still waiting what the penalties for failing to report will be, we can assume from incidents like Uber that it will lead to a DOJ situation where individual’s jobs will be on the line."
(Added, 6:30 PM ET, July 26th, 2023.) Craig Burland, CISO of Inversion6, finds the the way the SEC is setting expectations interesting. "The SEC continues to ramp up expectations for publicly traded companies. The four-day disclosure, however, is not the kicker here. Companies have two subjective decisions before being forced to disclose. First, they have to determine the cyber event was an incident – data was lost, business was disrupted, etc. Finding sufficient evidence to prove loss takes time. Second, the impact has to be material. For large corporations, this is a high bar that very few incidents would eclipse." Burland also thinks introduction of materiality into the risk management process will have important consequences. "The real toll of this decision is the one not getting the headlines. It’s part two of the requirements: the SEC wants companies to 'disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.' Implicit in this decision is that companies have a cybersecurity risk strategy and perform cyber governance. All too often, that’s not the case. A requirement to publicly disclose the practiced level of cyber-competence will open eyes and raise eyebrows across the country."
New Zealand to establish one lead cybersecurity agency.
The New Zealand government announced this morning that it’s combining New Zealand’s Computer Emergency Response Team (CERT NZ) and the Government Communications Security Bureau's National Cyber Security Centre (NCSC) to form one lead operational agency devoted to bolstering cybersecurity readiness and response. Minister for the Public Service Andrew Little explains that the move was recommended by New Zealand’s Cyber Security Advisory Committee. “Having a single agency to provide authoritative advice and respond to incidents across every threat level is international best practice, and will ensure New Zealand is well placed to take advantage of the opportunities in the digital economy and provide secure government services to our citizens,” Little states.
Reseller News notes that earlier this year the NCSC, CERT NZ and the Australian Cyber Security Centre joined the Five Eyes in pushing for tech vendors to take more responsibility for the security of their products. As Rappler explains, New Zealand has experienced a recent surge in cyber incidents costing the country approximately NZ$5.8 million in the first quarter of 2023. Minister for the Digital Economy Ginny Andersen said, “The NCSC prevented $33 million of harm to our economy over the whole of last year. We know the true scale of harm to our economy is underreported. Creating a dedicated new lead operational agency ensures New Zealand is best positioned to fight back against the hackers we know cause real harm to individuals and to our economy.” The integration of the NCSC, CERT NZ will begin on August 31 and will be phased over several years with all current services maintained in the interim.
Advice for administering the US proposed AI Bill of Rights.
Writing for Wired, Suresh Venkatasubramanian, former assistant director for science and justice within the Biden administration’s Office of Science and Technology, offers his advice on expediting the initiatives laid out in the US’s recently developed Blueprint for an AI Bill of Rights. As co-author of the document, Venkatasubramanian applauds the White House’s efforts to persuade artificial intelligence developers to make their products more secure, but he says these requests have so far been too vague and too voluntary. “As a large employer and user of AI technology, a major customer for AI systems, a regulator, and a source of funding for so many state-level actions, the federal government can make a real difference by changing how it acts, even in the absence of legislation,” he writes.
His recommendation: the White House should issue an executive order accompanied by detailed guidance for agencies from the Office of Management and Budget. Such an EO could mandate that all agencies adhere to AI best practices and require vendors to provide evidence of compliance with those practices. As well, the order could state that anyone receiving federal dollars, including local and state entities like law enforcement agencies, also uphold these practices. While Venkatasubramanian admits that such restrictions could slow the development of AI in the US, he notes that other countries are already enacting their own AI rules. He concludes, “The EU is about to pass an expansive AI Act that includes many of the provisions I described above, and even China is placing limits on commercially deployed AI systems that go far beyond what we are currently willing to consider.”
White House names nominee for new national cyber director.
In a long-awaited move, US President Joe Biden today announced his nominee to take over as the next national cyber director: Harry Coker, a four-decade veteran at the Central Intelligence Agency and National Security Agency, to serve as the next national cyber director. Coker would replace Chris Inglis, who left the Office of the National Cyber Director (ONCD) in February.
CyberScoop explains that a number of Capitol Hill lawmakers have been urging Biden to nominate Kemba Walden, who served as Inglis’s deputy and has been acting as ONCD director in his absence. However, sources say the administration decided against Walden due to worries her financial debts might stand in the way of a Senate confirmation. While Walden’s experience at ONCD and, prior to that, at the Departments of Commerce and Homeland Security made her, in some officials’ eyes, a frontrunner for the role, Coker has flown more under the radar. Coker’s background includes spearheading the CIA’s open-source intelligence initiatives, and he served as the NSA’s executive director from 2017 to 2019.
Senators Angus King and Representative Mike Gallagher, co-chairs of the Cyberspace Solarium Commission which called for the creation of the ONCD, say they support Coker’s nomination. “It is important to reiterate the necessity of strong, permanent leadership in the Office of the National Cyber Director,” they said in a joint statement. “The NCD is effectively the ‘coach’ of the U. S. cybersecurity team, and it is important that the leadership is Senate-confirmed and accountable to both the President and Congress. As long-standing football fans we both know that you can’t win without a great coach.”