They say a rising tide raises all boats, and in the world of cyber security, “tides” usually come in the form of regulation. The Securities Exchange Commission (SEC) is maturing disclosure rules related to cyber security incidents this spring, and these changes are raising eyebrows and dropping jaws.
New transparency and time-to-disclosure requirements are at the heart of the rule change. Companies who experience a “material breach” will be required to open up the “kimono” and provide significant transparency of the company’s inner workings within four business days of detecting the breach.
Incident response is the art of managing chaos. The business is impacted; there are many unknowns, many competing priorities, and an implicit desire to get the business back “online.” While disclosure rules are not new, the new requirements will catch many companies unprepared to meet the timing requirement and others exposing themselves to liabilities as the disclosure may demonstrate a lack of due care.
The proposed rule change states that companies must file an 8-K form within four business days of a material breach, but what does that mean?
The SEC describes a material breach as:
The description of material breach does leave wiggle room. However, the SEC has clarified that they expect all publicly traded companies to report on non-material breaches the company experiences, in the aggregate, likely once a year.
Disclosing the details of the incident is not novel; however, the expected level of detail is undoubtedly increasing. Breached companies will need to share what happened, a timeline of when it happened, the impacts on data, operations and customers and what the company is doing to contain, recover and mitigate other impacts.
At face value, these are reasonable asks, particularly with publicly traded companies. However, four days into an incident, many of these data points are unknown, incomplete, or unverified and, in my opinion, “too raw” for public consumption. This may lead to overly vague disclosures or inaccurate reporting.
The SEC will expect details on how the incident was communicated internally to decision-makers and the board of directors. This will include information about who was notified of the incident, when they were notified, and how they were notified.
This is where the tide starts rising beyond the “what happened” and “what was impacted” line of questions and onto the “who was involved,” “when did they know,” and “what were their decisions?” Such details will expose the company’s (lack of) communication and decision-making protocols.
The SEC will expect details on executive and board positions and what, if any, responsibilities have been delegated for cyber risk. At the executive level, the SEC will be interested in the existence of a Chief Information Security Officer (CISO), the individual’s qualifications and their reporting structure. At the board level, the SEC will be interested in general board awareness of cyber risks to the business, who is responsible for oversight of cyber risk management, and the existence of any cyber risk sub-committees.
This was my first jaw drops. The level of detail required may be almost as embarrassing as the breach itself. Essentially, the SEC is asking:
This requirement focuses on determining if the company had a cyber risk management role defined and whether they were a skilled practitioner instrumental in protecting the business or a figurehead (and eventual fall-person) reporting to the wrong executive, blunting the role’s effectiveness.
The last disclosure requirement revolves around governance and will require breached companies to disclose relevant governance documents (policies, processes, and procedures) which articulate how the company manages cyber risk. Below are some examples:
In a perfect world, these governance documents are alive and well, the lodestar to business operations. Staff are aware, trained, and practice the processes periodically, and policies have risk owner’s annual sign-off. However, if cyber-related governance documents exist, they are typically outdated, unpracticed, not followed, and dead on the shelf.
Disclosing that these documents do not exist, lack substance or are incomplete won’t reflect well. However, disclosing stale documents may be even worse for the company as it will signal to the SEC and investors alike how fast and loose the company has been operating, negligent of apparent risks to the business.
While the new rule updates focus on increasing transparency and accountability for publicly traded companies in the US, it is safe to say the tide will eventually rise for all. Privacy laws are here, and growing teeth and will likely add similar disclosure requirements for all companies in the future.
Therefore, it’s time to buy a boat. Of course, I don’t mean a pleasure craft but rather investing in internal governance and risk management and adding the disclosure processes to a (hopefully) existing incident response plan… To keep you afloat.
In short, here are five things you can do to prepare for breach disclosure requirements: