{"id":1472,"date":"2025-01-10T06:00:00","date_gmt":"2025-01-10T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1472"},"modified":"2025-01-10T06:00:00","modified_gmt":"2025-01-10T06:00:00","slug":"sec-rule-confusion-continues-to-put-cisos-in-a-bind-a-year-after-a-major-revision","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1472","title":{"rendered":"SEC rule confusion continues to put CISOs in a bind a year after a major revision"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Confusion around when and how to report cybersecurity breaches continues to plague companies a year after revised US Securities and Exchange Commission (SEC) cybersecurity breach reporting rules<\/a> came into effect, experts say.<\/p>\n

As the agency that regulates and enforces federal US securities laws continues to flex its enforcement muscles against organizations that violate the strict rules<\/a>, which impose a tight reporting deadline for the disclosure of cybersecurity incidents, CISOs and other senior executives are under increasing pressure to quickly assess and report breaches judged to be material \u2014 a challenging determination given their complexity.<\/p>\n

Companies get into problems with the SEC when disclosures are either not forthcoming or not timely enough, according to Joe Shusko, a partner with global accountancy firm Baker Tilly\u2019s cybersecurity practice. Consequently, they are finding it necessary to develop new strategies to maintain compliance with the rules, the interpretation and application of which aren\u2019t always clear and vary according to specific situations.<\/p>\n

\u201cDetermination of materiality isn\u2019t straightforward and shouldn\u2019t be made in isolation \u2014 senior security staff should work with their business operations colleagues, legal counsel, external forensics as part of a disclosure committee,\u201d Shusko told CSO.<\/p>\n

The SEC\u2019s enforcement isn\u2019t slowing down<\/h2>\n

The SEC has taken more than 200 enforcement actions since it gained the power to do so in 2015, with a quarter of those involving cybersecurity incidents. A growing list of charges has been filed against companies it deems to have misled investors about incidents that it considers to be material to stakeholders.<\/p>\n

In December 2024, filed settled charges against \u201cfor making materially misleading statements regarding a cybersecurity attack on Flagstar\u2019s network in late 2021\u201d also known as the Citrix Bleed<\/a> for $3.55 million. The SEC found that while the company did report the breach, it failed to disclose that sensitive customer data of about 1.5 million people had been exposed.<\/p>\n

A few months earlier, the SEC fined four companies $7 million<\/a> for \u201cmisleading cyber disclosures\u201d related to the SolarWinds hack<\/a>. The quartet \u2014 Avaya, Check Point, Mimecast, and Unisys \u2014 were faulted for misleading disclosures about the impact of the 2020 software breach on their individual businesses that left investors and other stakeholders in the dark.<\/p>\n

The four tech firms each agreed to settle the dispute over its disclosures by paying a fine but without making any admission of wrongdoing. Unisys, which was also charged with security controls violations, agreed to pay a $4-million fine while the other vendors each stumped up around $1 million.<\/p>\n

CISOs still grappling with fears over a lack of clarity<\/h2>\n

Former Uber CSO Joe Sullivan, a security expert convicted for obstruction in the reporting of the 2016 Uber privacy breach<\/a>, contends that despite the rising number of examples of enforcement, there are still many uncertainties over exactly how companies can achieve compliance.<\/p>\n

\u201cThere is so much fear out there right now because there is a lack of clarity,\u201d Sullivan told CSO. \u201cThe government is regulating through enforcement actions, and we get incomplete information about each case, which leads to rampant speculation.\u201d<\/p>\n

Based on its history, the SEC may issue clearer and more detailed guidance on the disclosure rules in the future, Shusko says. However, it is unlikely to make allowances for organizations that fall afoul of the rules even pending future clarification.<\/p>\n

The SEC did not immediately respond to inquiries by CSO as to whether any supplementary guidance about its revised reporting rules was in the pipeline. Although the incoming Trump administration has promised to slash business regulations in general, whether cyber incident disclosure rules might be modified \u2014 much less when \u2014 remains unclear.<\/a><\/p>\n

Companies should err on the side of transparency<\/h2>\n

As things stand, CISOs and their colleagues must chart a tricky course in meeting reporting requirements in the event of a cyber security incident or breach, Shusko says. That means anticipating the need to deal with reporting requirements by making compliance preparation part of any incident response plan, Shusko says.<\/p>\n

If they must make a cyber incident disclosure, companies should attempt to be compliant and forthcoming while seeking to avoid releasing information that could inadvertently point towards unresolved security shortcomings that future attackers might be able to exploit.<\/p>\n

\u201cOrganisations should err on the side of transparency,\u201d Shusko says.<\/p>\n

Edwards continued: \u201cGet the processes in place, including knowing where to find the form to submit to the SEC and maybe even pre-populate it with as much information as possible. Then, when the unthinkable happens, there\u2019s less chance to panic and make mistakes.\u201d<\/p>\n

Recent fines have also laid the groundwork for the SEC to enact enforcement actions against other non-compliant organizations \u2014 although the SEC disclosure rules are primarily targeted against publicly traded companies a far greater range of organisations might feel their effects.<\/p>\n

Given that clarity around disclosure isn\u2019t always straightforward, there is no real substitute for preparedness, and that makes it essential to practise situations that would require disclosure through tabletops<\/a> and other exercises, according to Simon Edwards, chief exec of security testing firm SE Labs. \u201cSpeaking as someone who is invested heavily in the security of my company, I\u2019d say that the most obvious and valuable thing a CISO can do is roleplay through an incident.\u201d<\/p>\n

Company supply chains can also impact breach reporting<\/h2>\n

\u201cThe disclosure rules are targeted towards publicly traded organizations, but that doesn\u2019t necessarily mean non-publicly traded organizations are excluded,\u201d Shusko says. \u201cPublic companies will likely expect their business partners to disclose and communicate any cyberattacks that might impact their organizations and as a result their customers. Organisations need to understand their supply chains.\u201d<\/p>\n

Baker Tilly\u2019s advice on how companies can mitigate their key IT compliance risks and meet the SEC\u2019s cyber disclosure rules can be found here<\/a>.<\/p>\n

Disclosure rules that are open to interpretation mean that some companies will feel obliged to disclose less-serious security incidents. For example, Shusko says, even though a recent cyberattack against American Water<\/a> had no material impact the utility, it still disclosed the attack in order to keep its stakeholders informed.<\/p>\n

\u201cThere is a lack of clarity about where enforcement actions might start,\u201d Sullivan says.<\/p>\n

Senior security professionals and their colleagues face a particular challenge in determining if a security incident is material, and therefore something they are obliged to disclose, or something less serious that can be handled in-house.<\/p>\n

\u201c[There\u2019s] confusion about what meets the threshold of \u2018material\u2019 \u2014 companies are all over the place on their disclosures, and the guidance from the SEC has been confusing at best,\u201d Sullivan says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Confusion around when and how to report cybersecurity breaches continues to plague companies a year after revised US Securities and Exchange Commission (SEC) cybersecurity breach reporting rules came into effect, experts say. As the agency that regulates and enforces federal US securities laws continues to flex its enforcement muscles against organizations that violate the strict […]<\/p>\n","protected":false},"author":0,"featured_media":1473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1472"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1472"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1473"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}