The times are a-changin'
They say a rising tide raises all boats, and in the world of cyber security, “tides” usually come in the form of regulation. The Securities Exchange Commission (SEC) is maturing disclosure rules related to cyber security incidents this spring, and these changes are raising eyebrows and dropping jaws.
New transparency and time-to-disclosure requirements are at the heart of the rule change. Companies who experience a “material breach” will be required to open up the “kimono” and provide significant transparency of the company’s inner workings within four business days of detecting the breach.
Incident response is the art of managing chaos. The business is impacted; there are many unknowns, many competing priorities, and an implicit desire to get the business back “online.” While disclosure rules are not new, the new requirements will catch many companies unprepared to meet the timing requirement and others exposing themselves to liabilities as the disclosure may demonstrate a lack of due care.
Here are five things you need to know:
What is material anyways?
The proposed rule change states that companies must file an 8-K form within four business days of a material breach, but what does that mean?
The SEC describes a material breach as:
- Impacting business operations; or
- Impacting products or services; and
- Creating a substantial financial impact on the company.
The description of material breach does leave wiggle room. However, the SEC has clarified that they expect all publicly traded companies to report on non-material breaches the company experiences, in the aggregate, likely once a year.
Disclose details of the breach
Disclosing the details of the incident is not novel; however, the expected level of detail is undoubtedly increasing. Breached companies will need to share what happened, a timeline of when it happened, the impacts on data, operations and customers and what the company is doing to contain, recover and mitigate other impacts.
At face value, these are reasonable asks, particularly with publicly traded companies. However, four days into an incident, many of these data points are unknown, incomplete, or unverified and, in my opinion, “too raw” for public consumption. This may lead to overly vague disclosures or inaccurate reporting.
Disclose how the breach was communicated
The SEC will expect details on how the incident was communicated internally to decision-makers and the board of directors. This will include information about who was notified of the incident, when they were notified, and how they were notified.
This is where the tide starts rising beyond the “what happened” and “what was impacted” line of questions and onto the “who was involved,” “when did they know,” and “what were their decisions?” Such details will expose the company’s (lack of) communication and decision-making protocols.
Disclose how the company manages cyber risk responsibilities
The SEC will expect details on executive and board positions and what, if any, responsibilities have been delegated for cyber risk. At the executive level, the SEC will be interested in the existence of a Chief Information Security Officer (CISO), the individual’s qualifications and their reporting structure. At the board level, the SEC will be interested in general board awareness of cyber risks to the business, who is responsible for oversight of cyber risk management, and the existence of any cyber risk sub-committees.
This was my first jaw drops. The level of detail required may be almost as embarrassing as the breach itself. Essentially, the SEC is asking:
- Who owns cyber risk?
- Should they have been responsible?
- Were they enabled to manage cyber risk appropriately?
This requirement focuses on determining if the company had a cyber risk management role defined and whether they were a skilled practitioner instrumental in protecting the business or a figurehead (and eventual fall-person) reporting to the wrong executive, blunting the role’s effectiveness.
Disclose cyber governance
The last disclosure requirement revolves around governance and will require breached companies to disclose relevant governance documents (policies, processes, and procedures) which articulate how the company manages cyber risk. Below are some examples:
- Cyber-related policies
- Incident response plans
- Business continuity and disaster recovery plans
In a perfect world, these governance documents are alive and well, the lodestar to business operations. Staff are aware, trained, and practice the processes periodically, and policies have risk owner’s annual sign-off. However, if cyber-related governance documents exist, they are typically outdated, unpracticed, not followed, and dead on the shelf.
Disclosing that these documents do not exist, lack substance or are incomplete won’t reflect well. However, disclosing stale documents may be even worse for the company as it will signal to the SEC and investors alike how fast and loose the company has been operating, negligent of apparent risks to the business.
Tides rise; time for a boat
While the new rule updates focus on increasing transparency and accountability for publicly traded companies in the US, it is safe to say the tide will eventually rise for all. Privacy laws are here, and growing teeth and will likely add similar disclosure requirements for all companies in the future.
Therefore, it’s time to buy a boat. Of course, I don’t mean a pleasure craft but rather investing in internal governance and risk management and adding the disclosure processes to a (hopefully) existing incident response plan… To keep you afloat.
In short, here are five things you can do to prepare for breach disclosure requirements:
- Mature Cyber Risk Management and Governance
- Validate that governance documents exist, meeting disclosure requirements are met and accurately reflect the business’ desired risk management capabilities.
- Ensure governance documents are reviewed and signed off by risk owners periodically.
- Create a risk register to track, discuss and treat risk.
- Shore Up Accountability and Decision Making
- Establish who owns the cyber risk and whom they report to?
- Establish a risk acceptance mechanism to track risk decisions and “overrides.”
- Increase Awareness and Qualifications
- Ensure all team members understand where to find and use governance documents.
- Increase awareness at the executive and board levels through workshops and tabletop exercises.
- Tool Up
- Consider a Governance, Risk Management and Compliance (GRC) tool to manage, track and package governance documentation if required.
- Consider leveraging a ticketing system to track communications and decision-making during an incident to align with disclosure requirements.
- Prepare For a Bad Day
- Conduct tabletop exercises with executives and technical teams alike to test plans and ensure the company is prepared for when, not if, a breach happens in the future.
- Create a document disclosure checklist and validate that all required data is up to date and can be packaged within four days.