{"id":919,"date":"2024-11-21T06:00:00","date_gmt":"2024-11-21T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=919"},"modified":"2024-11-21T06:00:00","modified_gmt":"2024-11-21T06:00:00","slug":"what-cisos-need-to-know-about-the-secs-breach-disclosure-rules","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=919","title":{"rendered":"What CISOs need to know about the SEC\u2019s breach disclosure rules"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The US Securities and Exchange Commission\u2019s (SEC) breach disclosure rules have placed increased responsibility on the CISOs of publicly traded companies in the reporting of cybersecurity incidents and risks.<\/p>\n<p>The <a href=\"https:\/\/www.sec.gov\/files\/rules\/final\/2023\/33-11216.pdf\">SEC\u2019s latest disclosure rules<\/a>, which went into effect in December 2023, require listed companies to report any cybersecurity incident determined to be material via Form 8-K within four business days. Other changes mean the SEC requires a lowdown on cybersecurity risk processes and board oversight as part of Form 10-K fillings.<\/p>\n<p>The revised rules have put CISOs under increased scrutiny, potentially exposing them to personal liability for either cybersecurity failures or misleading disclosures.<\/p>\n<p>These concerns are far from academic. Recent cases, such as that of <a href=\"https:\/\/www.csoonline.com\/article\/657599\/sec-sues-solarwinds-and-its-ciso-for-fraudulent-cybersecurity-disclosures.html\">SolarWinds\u2019 Tim Brown<\/a>, have highlighted how senior security staff can face legal actions over alleged corporate reporting failures about cybersecurity practices at listed companies.<\/p>\n<p>To underline how complicated SEC compliance can get, four years after the SolarWinds breach <a href=\"https:\/\/www.csoonline.com\/article\/3578782\/four-firms-charged-fined-over-handling-of-solarwinds-hack-disclosures.html\">the SEC charged four companies<\/a> over their handling of the software supply chain attack, stating they each made \u201cmaterially misleading disclosures regarding cybersecurity risks and intrusions.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What would qualify as a cybersecurity incident?<\/h2>\n<p>A requirement to report significant cybersecurity incidents is not new but changes in how the process works increase the involvement and responsibilities of CISOs in the disclosure procedure.<\/p>\n<p>The SEC defines a cybersecurity incident as an unauthorized occurrence or series of related unauthorized occurrences on or conducted through a registrant\u2019s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant\u2019s information systems or any information they contain.<\/p>\n<p>Companies required to file disclosure reports with the SEC must report a material cybersecurity event within four business days of the date they determine the incident is \u201cmaterial to investors\u201c.<\/p>\n<p>\u201cUnder the US federal securities laws, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision, or if it would have significantly altered the \u2018total mix\u2019 of information made available to investors,\u201d says Scott Kimpel, a partner at US law firm Hunton Andrews Kurth.<\/p>\n<h2 class=\"wp-block-heading\">What constitutes a materially impactful breach?<\/h2>\n<p>Determining what qualifies as \u201cmaterial impact\u201d related to a security incident is complex since it requires assessing various factors such as financial loss, operational disruptions, reputational risks, regulatory scrutiny or potential legal fallout.<\/p>\n<p>Remediation efforts, legal fees, regulatory fines and any projected revenue loss all need to be factored into calculations of materiality. The extent to which the incident affects business continuity, supply chains, or service availability also needs to be considered.<\/p>\n<p>Each factor must then be considered and contributes to determining the overall materiality assessment which companies are expected to conduct \u201cwithout unreasonable delay\u201d following an incident\u2019s discovery.<\/p>\n<p>\u201cBasically, if an incident could change how investors view the business, it\u2019s likely to be considered material,\u201d according to Luke Dash, CEO of compliance experts ISMS.online.<\/p>\n<p>It\u2019s important to note that materiality is not limited to financial or operational results, says Evan Roberts, co-head of cybersecurity and data privacy communications at FTI Consulting. \u201cThe SEC specifically cites \u2018harm to a company\u2019s reputation\u2019 as a factor in determining materiality.\u201d<\/p>\n<p>The requirement to report incidents without unreasonable delay means that listed companies must be \u201cassessing materiality from the onset of an incident and throughout its lifecycle\u201d, Roberts says. \u201cThis process should also be rigorously documented, both when it is initiated and throughout the incident response process.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What factors need to be considered when assessing the impact of a breach?<\/h2>\n<p>The SEC has cautioned that the analysis of a breach\u2019s impact should not turn solely on financial or quantitative factors and that qualitative factors (less tangible) must also be considered.<\/p>\n<p>\u201cAccording to the SEC, in the context of a cybersecurity incident qualitative factors include (but are not limited to) the potential: harm to reputation; harm to customer, vendor or other business relationships; negative impact on competitiveness; and litigation or regulatory investigations or actions,\u201d Kimpel says.<\/p>\n<h2 class=\"wp-block-heading\">Who decides whether a breach is material?<\/h2>\n<p>CISOs are key players in assessing the materiality of a breach, but the burden of assessing materiality needs to be made collaboratively by a suitably qualified team drawn from across multiple business departments.<\/p>\n<p>\u201cDetermining the material impact typically involves collaboration between IT, legal, finance, and executive teams,\u201d according to James Eason, CRA practice lead at cybersecurity services firm Integrity360. \u201cThose playing their part must be ready to act and be fully effective in doing so.\u201d<\/p>\n<p>In effect, enterprises need a ready-to-go incident management response team drawn from senior management. \u201cThis necessitates clearly laid out and understood processes and procedures for the response,\u201d Eason says.<\/p>\n<p>CISOs should ideally build relationships within that team prior to an incident, Roberts says, \u201cso that if it does need to be activated, the process to evaluate and make a materiality determination follows a set playbook and with a sense of joint ownership among key leaders within the business.\u201d<\/p>\n<h2 class=\"wp-block-heading\">When does the clock start for breach notification?<\/h2>\n<p>The four-business-day reporting clock does not necessarily start when an incident is discovered, but rather as soon as a materiality assessment determines it\u2019s something that potential investors ought to know about \u2014 and those must begin without the aforementioned unreasonable delay after discovery.<\/p>\n<p>\u201cWhat constitutes \u2018without unreasonable delay\u2019 is harder to quantify,\u201d according to Dash. \u201cThe SEC does not prescribe a set number of days, but the implication in their documentation is that delays should only occur if genuinely needed to gather additional information.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Are there any legitimate reasons for delaying the disclosure of a confirmed breach?<\/h2>\n<p>Disclosure may be legitimately delayed in cases where the US Attorney General agrees that the breach presents a threat to national security or danger to the public; notification of this is to be submitted by the Attorney General to the SEC.<\/p>\n<p>\u201cAside from the procedural aspects, it\u2019s worth noting that CISOs can be held personally liable for data breaches where it is deemed that they have responded inefficiently, or if it is evident that any cover up has taken place,\u201d Eason says.<\/p>\n<h2 class=\"wp-block-heading\">How can companies prepare themselves to meet the SEC\u2019s incident disclosure rules?<\/h2>\n<p>CISOs and their colleagues face tight reporting timelines to be SEC-compliant and accountable to investors in the event of a breach or other security incident.<\/p>\n<p>\u201cTo achieve this timeline, a structured response process to gather facts, evaluate impact, and work with leadership to make an informed decision is needed,\u201d Dash says.<\/p>\n<p>For many companies, leveraging <a href=\"https:\/\/www.iso.org\/standard\/27001\">ISO 27001\u2019s<\/a> structured approach to incident response can be invaluable in meeting this challenge, according to Dash. \u201cISO 27001\u2019s framework helps teams establish and maintain detailed processes for managing incidents, assessing risk, and documenting actions in real time. This structure will not only help security leaders make timely materiality determinations but also mean they\u2019re aligned with the SEC\u2019s emphasis on swift, transparent reporting.\u201d<\/p>\n<p>A <a href=\"https:\/\/www.pwc.com\/us\/en\/services\/consulting\/cybersecurity-risk-regulatory\/sec-final-cybersecurity-disclosure-rules\/ciso-role-in-cyber-disclosure.html\">blog post<\/a> by management consultants PwC offers further advice on how security leaders can help reduce their company\u2019s exposure to compliance risks and pre-prepare to meet the SEC\u2019s breach disclosure reporting requirements.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US Securities and Exchange Commission\u2019s (SEC) breach disclosure rules have placed increased responsibility on the CISOs of publicly traded companies in the reporting of cybersecurity incidents and risks. The SEC\u2019s latest disclosure rules, which went into effect in December 2023, require listed companies to report any cybersecurity incident determined to be material via Form [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":920,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/919"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=919"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/919\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/920"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}