Threat Vector 10.19.23
Ep 7 | 10.19.23

Emerging SEC Rules with Kate Naunheim


David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. [ Music ] Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Kate Naunheim about the new SEC rules. Kate is a Cyber Risk Management Director at Unit 42 with over 15 years-experience in technology solutions delivery and a decade of expertise in cybersecurity. The information provided on this podcast is not intended to constitute legal advice. All information presented is for general informational purposes only. The information contained may not constitute the most update, legal or interpretative compliance guidance. Contact your own attorney to obtain advice with respect to any particular legal matter. [ Music ] Kate, thanks for joining me today on "Threat Vector." I want to start us off with a really simple question: What is the SEC?

Kate Naunheim: I'm really glad you started there David. So, the SEC is essentially the U. S. Securities and Exchange Commission, which is an independent agency that was established in 1934, really after the Stock Market crashed in 1929 and the resulting Great Depression. It oversees multiple functions related to the securities market. So, things like enforcement of laws, regulation, registration of securities, reporting, [inaudible 00:13:04] protection, and rule-making. The agency helps create a level playing field and ensures transparency, and protects the interest of investors.

David Moulton: What are SEC rules Kate?

Kate Naunheim: Yes, so SEC final rules are legally binding regulations relates to enforce securities laws.

David Moulton: Can you explain the rational between the SEC's decision to introduce cyber regulations at this time?

Kate Naunheim: The SEC Chair, Gary Gensler said that currently, many public companies provide cybersecurity disclosure to investors, but he said "I think its companies and investors alike would benefit if this disclosure were made in a more consistent comparable and decision-useful way, through helping to ensure the companies disclose materials cybersecurity information."

David Moulton: How would these regulations affect reporting and disclosure requirements for publically traded companies?

Kate Naunheim: Yeah, so there's several requirements for publically traded companies. The first is that the new form AK Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature of scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant. This really must be done within 4 business days of determining that an incident is material. There will be another requirement through new regulation SK Item 106 which will require registrants to describe their processes, if any, for accessing identifying managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have material affected or are reasonably likely to materially affect the registrant. And then form 6K will be amended to require form private issuers to furnish information of material cybersecurity incidents that they make, were required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.

David Moulton: Are there specific industries or sectors that will be more heavily affected by these regulations? Why is that?

Kate Naunheim: Yes, David, so there are definitely industries that will be impacted more greatly by the final rule. Any industries that have high numbers of cybersecurity incidents will be more heavily affected. Those are things like publically traded companies in industries like manufacturing, finance, professional services, health care services, energy and utilities, and then any publically traded companies in industries that are not highly regulated or subject to compliance requirements may also be affected, because those industries will have to scramble to develop their cyber risk management programs quickly.

David Moulton: What steps should organizations take to ensure compliance with the new cyber regulations and what are the potential consequences of noncompliance?

Kate Naunheim: For many publically traded companies, they'll have to start reporting in December, material cyber security incidents. So, organizations should first develop resources to identifying a playbook for how this is done, because cobbling together the appropriate procedures from separate policies and groups is going to be prohibited if an incident does occur. Following this organization subject to the rules, should immediately perform a gap assessment against the new requirements to understand where they fall either through a self-assessment or independent assessment. And then when they've identified those gaps, they need to implement corrective actions through a workflow system and set due dates so the remediations are really completed in a timely manner. These corrective actions are likely going to include changes to policy and procedures, process creation, materiality analysis, processes, and SEC reporting processes. And then once their remediations are complete, the company should perform a reassessment to make sure they have closed all the gaps.

David Moulton: How do these regulations align with existing cybersecurity standards or framework such as NIST or ISO?

Kate Naunheim: The new regulations line well with the frameworks at a high-level and that both NIST and ISO require risk management programs are in place. For example, NIST maintains the NIST [inaudible 00:16:53] for risk management framework and that's a comprehensive approach to risk management. But NIST also maintains special publication 853 Revision 5, which is, "security and privacy controls for information systems and organizations." ISO 27001 and 27002 also have [inaudible 00:17:09] to risk management such as requirements for information security risk assessments and treatments, as well as general risk management requirements.

David Moulton: Kate, looking at what trends or developments in cybersecurity regulation should we be watching out for in the near future?

Kate Naunheim: I'm really interested to see what comes to the push for harmonization of cybersecurity frameworks. Due to an increasingly crowded field of laws and regulations with respect to cybersecurity standards, on July 19th, 2023 the Office of the National Cyber Director, ONCD, released a request for information or RFI asking for public comment on opportunities, foreign challenges to harmonizing federal cybersecurity regulations. An effort to harmonize competing requirements and assessments is long overdue. So, this focus has the potential to be really beneficial. I'm very interested to see what comes along with that. And this SEC rule is just one of a number of efforts in the U.S. and around the globe where policymakers are expecting to do more on their cybersecurity posture. Many of these recent regulatory efforts and proposals focus on two similar buckets; cyber incident reporting and cyber risk management plan. [ Music ]

David Moulton: Hey, thanks for joining me today on "Threat Vector." This conversation has been a great reminder of how integral security has become for every organization. If you're interested in going deeper on this topic, join the Unit 42 experts on November 9th for a webinar on the proposed SEC rules. A link will be in the Show Notes. The title of that webinar is The Ransomware Landscape: Threats Driving the SEC Rule and Other Regulations. We'll be back on the CyberWire in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. [ Music ]

Dave Bittner: We hope you enjoyed this week's "Threat Vector" segment. We're hoping to gather some insights from you, our audience, and you would like to shape future "Threat Vector" segments. Would you take three minutes or so to help us out? There's a link on today's Show Notes to our brief survey. Please, share your thoughts. [ Music ] Rick Howard recently got together with Jen Miller-Osborn, Senior Principal Research Scientist at NetWitness and Adam Pennington, the current Lead for MITRE ATT&CK. Here's their conversation.