Good idea in theory – or too much devil in the details?
Just for a second, imagine you’re responding to a serious cybersecurity incident. You’re feeling overwhelmed as a million decisions and data points run through your mind…
Have we contained the attackers? Do we fully understand the extent of the penetration? Was any data exfiltrated? The questions keep coming, but let me add a new one for you: How much time do you have to file Form 8-Kdisclosure with the Securities and Exchange Commission? Better think fast, because you may only have four days to report to the authorities that your event will, or won’t, have a material impact on your company’s stock price. If you’re not familiar with SEC lingo, “material” means anything that could impact a decision to buy, hold, or sell a stock.
Of course, you will not have concluded your investigation of the incident (sometimes they take more than four days!), so anything you put in the 8-K will have to be revised or clarified at a later date. But let’s assume you filed that 8-K, and find yourself yanked off incident response/remediation and are instead chatting with investors, regulators, and the press. Or worse, what if you don’t think the incident was material at the time, opted not to file the 8-K report – but find out months later that a time-release breach is now having a major, material effect on the company’s valuation?
The proposed SEC regulation details
These new plot twists could be coming to an incident response process near you, in the very near future, if a proposed SEC regulation is made law. Since the comment period has already passed, we should expect to see final regulation published soon. Specifically, the proposal will require:
- Current reporting about material cybersecurity incidents on Form 8-K within four business days
- Periodic disclosures regarding, among other things:
- Company policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing those policies and procedures
- Board of directors’ cybersecurity expertise and risk oversight
- Updates about previously reported material cybersecurity incidents
The compressed four-day timeline jumped out at me. But if you read the fine print, the agency is allowing an indeterminate amount of time to investigate the incident and determine if it is, indeed, material. However, you are still likely to find yourself making public disclosure before you’ve completed your entire incident response process. This new time-bound reporting requirement is likely to cause disruptions to real-time mitigation and, barring extreme examples like the Sony Breach of 2014, it’s likely you won’t know if something is material within that four-day period.
Other ramifications of the proposed regulation
The requirement to provide updates on previously disclosed material incidents also got my attention. There is a rule in the fine print to report multiple nonmaterial events that in aggregate could be considered a material event. Given the amount of scrutiny and personal legal liability that are present during these assertions, it’s going to get burdensome for both the company and individual executives. I can see a cottage industry of trial lawyers springing up to represent disgruntled shareholders to sue for damages caused by managers who are shown to be negligent during a breach.
The cybersecurity industry is not in the habit of providing formal external reporting on previous events, outside of major publicly reported breaches, so this will create an entirely new work stream. We will also need to re-think what we’re reporting from an incident perspective. The events in aggregate becoming a material one will be the hardest item to manage. Do you simply report all your events to avoid being deemed to have under-reported in the future? The volume would be unmanageable, and the answer would depend on each company’s unique risk management posture.
Management’s new role in reporting and cyber governance, and the board’s new responsibility to shed light on their expertise and oversight, will drive extra scrutiny on enterprise security programs. This puts the CISO on the hot seat.
Forge ahead with collaboration
Let’s turn challenge into opportunity and use this new regulatory reality to drive closer partnerships with boards and executive teams. BoDs may also be enticed to add former CISOs to their ranks to advise on corporate cyber policies and practices.
Whether these requirements go into effect or not, we are inevitably moving in this direction so everyone needs to get ready. How?
- Make sure your incident response process is fully mature.
- Consider adding an executive leader who can tag-team on incident response while you’re pulled away talking to SEC officials, angry investors, or members of the media.
- It would also be prudent to add an attorney with investor relations expertise to your team. However you slice it, you’re going to be making more, and more complicated public filings. Having someone with this skillset should help streamline the process (and help keep you out of trouble).
Now is a good time to give your executive team and board a heads-up that this is coming. Don’t forget to upgrade your D&O liability insurance, and think about setting budget aside for settlements and litigation. Another opportunity has arrived for security professionals to join forces with BoDs and ELTs for this next phase of cybersecurity maturity, the refinement of best-practice standards, and deeper cyber integration between people, processes, and technologies.