Threat Vector 3.7.24
Ep 17 | 3.7.24

The SEC's Cybersecurity Law, a New Compliance Era with Jacqueline Wudyka.


Jacqueline Wudyka: [Music] The hardest bar to get into within the multistate exam is Alaska. They make their score higher than anybody else.

David Moulton: Do you know why that is?

Jacqueline Wudyka: I don't know. The moose really needs some good lawyers out there. [Laughter] No explanation.

David Moulton: Have you ever seen a moose up close and personal?

Jacqueline Wudyka: Not in real life, no.

David Moulton: And I think one --

Jacqueline Wudyka: One size, bigger, smaller?

David Moulton: Oh, much bigger than a horse.

Jacqueline Wudyka: Risky.

David Moulton: Like a horse is a tiny, tiny little animal. I had read a thing that one of the main predators of a moose is an Orca. A moose can dive very deep into water where orcas are swimming around and going like, hum, that looks delicious and we'll eat a moose. And I thought you couldn't make it up if you tried. That is so bizarre. Welcome to Unit 42's Threat Vector where we share unique threat intelligence insights, new threat actor TTPs, and real world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] Today we're digging into the new SEC cyber rules with Jacqueline Wudyka, consultant at Palo Alto Networks. Jacqueline has a multilingual legal powerhouse with bar certification in 37 states. As part of the unit 42 cyber risk management team she specializes in governance risk and compliance with a particular emphasis on data privacy. Today I'm going to share the conversation Jacqueline and I had about the SEC cyber risk management strategy, governance, and incident disclosure rule that was adopted in December of 2023. But first a disclaimer. The information provided on this podcast is not intended to constitute legal advice. All information presented is for general information purposes only. The information contained may not constitute the most up-to-date legal or interpretive compliance guidance. Contact your own attorney to obtain advice with respect to any particular legal matter. Now let's get into our conversation. What was it about the intersection between cybersecurity and law that really excited you?

Jacqueline Wudyka: I really love the law. I guess my bar passage says that, and I really enjoyed law school. But what I didn't love was when you start a new class and the cases date back to the 1800s. And you're just like, why, and it's so hard to wrap your head around the buggy and this and that it's just so not relevant anymore. Then I took a cybersecurity course, and the cases are all about Google and Facebook. And they're all occurring within the last 10 years. And they're still occurring. And I think the beautiful part of that is that we're still figuring it out. And having that relevant aspect of it is just amazing. And we get to witness it from its infancy.

David Moulton: So go back to law school and think about some of those cases that excited you. Are there any that really stand out?

Jacqueline Wudyka: Sure. I mean, there's so many. And even with this, right, this whole new SEC regulation, we have First American advantage, I believe is the name. And in so many cases like that where it gives us a starting point to try to understand where these new rules are getting to, right. So when something's new, I always try to refer back to something that exists. Caremark is a huge case that we learn in business. And I think that these new regulations are aligning with that, and in so many different ways. And so it's always cool. Yes, I constantly have cases floating around in my head that I tie back to.

David Moulton: So you mentioned the SEC. And that's actually what we want to talk about today. Can you give a brief overview of the aims of the new SEC regulations?

Jacqueline Wudyka: Absolutely. So I think to answer what the aim is, right. We have to look at what's the mission of the SEC. What's the goal? What do they do what they do? And that's to protect investors to create a fair market. And in order to do that, they have to regulate the playing field. So that means having the same information consistent and standardized from all registrants. But what's interesting about it is that this isn't new. This is isn't the first time they're trying to have that consistent flow of information. I think their aim with these new regulations is making it clear making it prescriptive as to what companies need to report on. Yeah, I think that's their goal, right, having that consistent flow of information across all organizations across all registrants in order to have that consistency and accurate information.

David Moulton: These new rules went into effect last year, December 15th. What are the tangible impacts the SEC cybersecurity rules have had on public companies?

Jacqueline Wudyka: Absolutely. So taking a step back, we have two main requirements in this rule. We have the reporting side, and then we have the governance risk management side. So on the reporting side, they're really requiring disclosure of material incidents within four days of that incident being deemed material, right? So to align with this, companies have had to internally define materiality. We've seen a lot of companies begin doing business impact analysis, really determining what is material for them. And this has kind of been a pain point, right? Because it's just so specific and dependent on the organization's build. We've also seen them creating a team or repurposing a team. A lot of these publicly traded companies have a disclosure committee already. So they'll say, okay, we have our definition of materiality. Now, who's going to actually apply that definition? So they'll have this committee or this team that'll be in charge of determining and applying that definition. So for the reporting aspect of it, those are two main things we've seen. And then on the other hand, we have this governance and risk management, right? And the SEC has told us that they want to know that the board of directors and executives are being informed of risk, and how they're managing this risk. So we've seen a lot of establishments of processes and procedures, and most importantly, communication paths, having those escalations really set in stone, and also creating documentation to support this. And another thing the SEC has noted is that they want enough detail so that a reasonable investor can understand how this risk is being managed and mitigated and governance. So if you already have these processes and procedures documented somewhere, you're halfway there. It's an excellent starting point. So between the two, between the recording and the governance and risk management, we're seeing those proactive assessments, that materiality being defined, the restructuring to make sure we have stakeholders in place to make those timely determinations. And we're seeing that executives and board of directors are starting to ask questions to make sure that they're informed on this topic, because that's the biggest -- I think one of the biggest points in this rule is starting that conversation within those executives and the board.

David Moulton: So I want to go back to something that you mentioned a moment ago. If each company is defining what is material, then how does the SEC actually enforce anything?

Jacqueline Wudyka: That's a great question. So they have given some parameters, right? That's extremely specific to the organization so it's going to be difficult for them to determine. What they can do though, is they can start asking questions. And you don't want that to happen, right? As an organization, why even open the door for them to doubt you on your determination that it wasn't material? So having those processes and procedures in place are your armor against that saying, hey, no, we know this isn't material because we did X, Y, and Z, and that gave us the conclusion that it's not material.

David Moulton: Jacqueline, how are these roles influenced the overall cybersecurity landscape in the business world?

Jacqueline Wudyka: It's hard to tell right now, right? Because it's just going to start being enforced. But there's really two kinds of organizations. There's those that have their robust cyber program in place, and not much is going to change for them. Because they have so many resources and stakeholders dedicated to cybersecurity, that it's going to be more of an, oh, this is so much more paperwork, right? And they're going to bring in their lawyers that they have on retainer and just one more thing to do. But for those companies that haven't invested in their cybersecurity, this is really going to encourage them to do so. It's, I think, good for the cyber landscape because it's not just a financial investment. It's really a time investment. As we mentioned earlier, it's going to bring those cybersecurity conversations to the big boy table. You know, it's making it more top of mind, and CISOs and CTOs are going to have to play a big role here because they speak the language and they're going to have to make it open dialogue at those big meetings.

David Moulton: Are there new skills? Are there new jobs that are going to come out of this is what I really want to know.

Jacqueline Wudyka: That's interesting. I don't know if it's a new position necessarily, but I definitely think it's a new skill and training, perhaps. Because the security team now needs to understand these new requirements. They don't need to get into the nitty-gritty of it, but they need to understand what needs to be escalated in a much deeper way. So before we had these determinations of, okay, it's an event and now, I think it's an incident. We're going to declare the incident, we're gonna escalate it. I think that definition of their incident, before even getting to the materiality, is going to have to be readjusted to account for these new rules. So I think the security teams are really going to have to educate themselves or get trained on however it may be to understand this new playground, right? Making sure that companies are protected, is going to start with the security team.

David Moulton: How is artificial intelligence going to help security practitioners bridge the gap between what the SEC is looking for and meet those time requirements?

Jacqueline Wudyka: I think the biggest asset of AI is that it makes things go faster. Right? So now that we have this time requirement, things need to move quicker. We have that materiality definition that gives us a little more cushion there. I think the biggest role it'll play is with the technology aspect of it, creating those alerts in a timely manner, organizing them perhaps in a way that's more digestible for the security teams.

David Moulton: What strategies or technologies should always have in place to mitigate cybersecurity risk and reduce the likelihood of having to report incidents to the SEC?

Jacqueline Wudyka: So this is a big plug for me here, because I work on the proactive cybersecurity side of house. And everything we do is exactly what companies need to be doing. There's a wide array of assessments, whether it be business impact, or whether it be tabletop exercises, CRAs, just to gain greater visibility into what you're working with. So these assessments really have the ability of gaining greater visibility into what is my -- where's my organization? What it stands, what's its posture? Where are its gaps, right? That's really where we help you identify that. And then once you identify the gaps, how do we fix them? And by fixing them, you're proactively acting against a potential vulnerability that could spiral into this material incident. So those assessments are extremely helpful. Another thing we recommend is revisiting your tools. A lot of companies have the greatest, the latest, the coolest tools in the world, but if they're not properly configured to the organization, then they're not doing you any good, right? So we're like we revisit those, make sure that they have visibility into the places where it matters. And that way you have the ability of getting a quick alert and being able to act on it, and hopefully remediate it before it becomes anything else. And then another thing we always recommend is testing, testing, testing, your backups, your plans, your procedures. I mentioned, tabletop exercise earlier. We love these, because it's a make believe scenario. And each inject has a different accumulation, a different set of facts that the team then has to act upon. So it's a big pretend. And it allows companies to test their procedures, and test their response and see if they actually know what's on their incident response plan. It's one thing to have a document and it's a whole other thing to be able to just vocalize it. So working on any of those proactive engagements is extremely helpful.

David Moulton: Thinking about those tabletop exercises, any surprising outcomes that you've seen as you've worked with our clients?

Jacqueline Wudyka: Oh, all the time. [Laughter] Yeah, especially because they'll send us their IRP, or Incident Response Plan in advance. We already have insight to what they should be doing. And they'll say, wow, these people really have it together. And then you get to the tabletop and nobody even knows that document exists, you know. And then there's the other side of the coin, where they may not have something documented, but these people know their stuff, and they are just on it. So it's a perfect engagements and exercise to really test their knowledge on these procedures.

David Moulton: What else from a proactive side? What are some of those strategies that you continue to recommend?

Jacqueline Wudyka: Training is a big one. As we mentioned earlier, that security team we want to make sure that they're trained on what these new rules require, right? That early escalation, lots of communication moving upwards. So I think that that training and that understanding of why we're doing what we're doing is essential. It's not just because we say so. There's bigger picture here. On the other side of the coin, is the training of the executives and the board of directors that haven't necessarily had to speak the cybersecurity language before. This is relatively new. And I think having that foundational understanding of -- understanding the risk of cybersecurity, because that's really the main point here. That's something that they're going to have to gain that understanding of, for sure.

David Moulton: Jacqueline, how can organizations identify when they need outside help complying with these new regulations?

Jacqueline Wudyka: So one of the interesting parts of this regulation is that it's actually requiring you to say, if you have an outsider, a third party helping you with this cybersecurity, we don't know if it's a good or a bad or what it is, but it's definitely interesting. So in making that partner determination, one of the biggest things we always recommend is having it be a trusted adviser. Not coming in for the first time when you need to make that materiality determination. Because as we mentioned, it's so tough to know if you're not familiar with the organization. So if you have somebody that knows your organization, knows how you operate, and the is that trusted advisor throughout, and then when you're in this situation is able to come in and help. That's amazing. It's -- there's a saying in the legal realm, that availability is the best ability. And I think that applies here, for sure. But I think to answer your question, as far as outside help goes is how well staffed are you? If you have significant teams dedicated to cybersecurity, you might be fine. But unfortunately, it's tends to be a realm where we don't get the big bucks all the time. So it definitely helps having a consultant come in and having that trusted advisor whenever you need them.

David Moulton: Do you think that the SEC leading with this regulation is going to impact how other countries change their financial disclosure for material breach?

Jacqueline Wudyka: So I think it depends where. I think it's a bit maybe so. And I say that, because I think Europe has always been so much more demanding. Not in a good or a bad way, just they've always asked for more and quicker and faster. So I think that they may not be as influenced by these new regulations, whereas other places may these -- may take inspiration from these new rules. But what is interesting is staying domestically, we're seeing these already influenced. I was reading the other day, private equity firms are now going to have something aligned with these new SEC disclosures. So it's a big maybe all around. But definitely domestically.

David Moulton: Do you see different attorneys general at the state level pushing for something that's even more aggressive?

Jacqueline Wudyka: That's interesting. I think that now that this is going to become more of a conversation, more top of mind, maybe. Yeah. Because they're going to start realizing the harm, whatever that means to whoever it is, but that it's a real thing. Right? I don't think cybersecurity has been top of mind the way that it is now and the impact that it's having. I actually saw Paolo had posted that 96 percent of companies have experienced an incident in 2022. And it was a couple of trillion dollar market. So because of the impact it's having, I wouldn't be surprised if states started to step up and have more rigorous requirements moving forward.

David Moulton: Jacqueline, looking ahead, do you anticipate any amendments or expansion to these rules based on the experience of the last six months, or have any predictions about how this is going to impact the landscape overall that you think are interesting to share?

Jacqueline Wudyka: Sure. So definitely guesswork here, right? But I think we're going to have a better idea of what is materiality in the sense of cybersecurity. Once we have more disclosures, and once we see what the SEC pushes back on and what they accept, I think it's going to have -- give organizations a much clearer picture of what the SEC is expecting. Another interesting point as far as the four days, I've heard, is this too late? And it's interesting because when an organization has an incident, and especially if it's a material incident, they tend to make a public disclosures in the statement or on social media, or however they tend to do it. And I think it's important that this disclosure is aligned timing wise with that statement. Because if the goal here is to protect investors, then they should have access to that information in an extremely timely manner, between that four days after the materiality, and then also what is material and gaining a better definition, I think we'll definitely have a better insight into that in the next couple of months or years or who knows.

David Moulton: If you're a listener, what's the most important set of ideas that you want them to take away from this conversation?

Jacqueline Wudyka: I think it's being proactive. Having that approach is going to be [music] the best way of handling these new rules. Whether that be defining materiality, establishing who's actually going to apply that definition when the time comes, configuring your tools. And then as we mentioned earlier, just testing backups, plans, procedures, it's that proactive approach where it's going to take you far. [ Music ]

David Moulton: As I reflect on our conversation, it's clear that the intersection of cybersecurity law is not just evolving, it's dynamically reshaping how organizations approach security and compliance. The introduction of the SEC Cybersecurity Regulation isn't just a legal requirement. It's a catalyst for a much needed shift towards a proactive security posture. I heard a couple of key themes that stood out from Jacqueline. First the importance of understanding and defining materiality within the context of cybersecurity incidents. Though challenging, this is crucial for compliance and for safeguarding investor interests. Jacqueline's insight into the tangible impacts of the SEC regulations, particularly on governance, risk management, and reporting, highlight the ongoing adjustments and enhancements companies are making to align to these new standards. Second, I think that her point that preparedness, whether through tabletop exercises, revisiting security tools, or simply ensuring that cybersecurity conversations are happening at the highest levels of an organization is incredibly important. These regulations are pushing companies to bolster their cybersecurity infrastructure, and to foster a culture of security awareness and responsiveness. If you're interested to learn more about Unit 42 world class consulting team, I've included links in our show notes. And if this topic is important to you, you should check out our special webinar, The Ransomware Landscape, Threats Driving the SEC Rule and Other Regulations. Scott Becker from Actual Tech Host, Jacqueline, and uniformity to consultants and experts, Steve Dyson, David Furone, and Sam Kaplan. I've included a link to the webinar as well. Next time on Threat Vector, I'll speak with Sam Rubin, Vice President and Global Head of Operations at Unit 42 to discuss his recent congressional testimony on ransomware attacks. He talks about the evolving sophistication of ransomware attacks. The importance on sectors like education and health care, the role of AI in cybersecurity defense, public private partnerships, and the importance of preparing the cyber workforce of the future. It's a great conversation you don't want to miss. Finally, I want to thank the Threat Vector team. Our executive producer is Michael Heller, content and production by Shaida Azimi, Sheila Drotsky, Tanya Wilkins, and Danny Melred. I edit the show and Elliot Peltzman is our audio engineer. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [Music]