Responding in harmony: Cyber reporting as a team sport

We live in the age of digital connections. Every industry, every service, every sector utilizes these connections to advance their businesses, whether that’s making manufacturing more efficient or developing the next groundbreaking medication.

The Securities and Exchange Commission’s (SEC) role, at least in the eye of the public, has been to regulate the financial industry. That’s as true as it ever was, but like all industries, the financial sector has come to rely on the exchange of sensitive data across networks to make their processes more efficient, effective and ultimately more lucrative.

But with these great advances come great responsibilities. For publicly traded companies, the risk of a cyberattack affects a lot more than their bottom line. It also affects the thousands of shareholders who trust that these companies have appropriate security and have a plan if things go wrong.

That’s where the SEC comes into the world of cybersecurity.

When the SEC was developing new cyber disclosure rules, its goal was to “provide investors with timely, consistent and comparable information about an important set of risks that can cause significant losses to public companies and their investors.” The rules were meant to empower investors to evaluate those risks as they make investment and voting decisions.

What do the rules actually mean?

The new rules, which went into effect Dec. 18, require publicly traded organizations to disclose and describe in detail any cybersecurity incident they determine to be “material.” That includes the incident’s nature, scope and timing along with the likely impact on the organization. This must be done by reporting the breach on SEC Form 8-K within four business days after the incident is determined to be material.

Disclosure may be delayed if the Justice Department determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

But the more interesting parts of the new SEC rules that many may be overlooking are in the regulation that will require organizations to describe their cyber plans annually through SEC Form 10-K. That includes processes for assessing, identifying and managing the risk posed from cybersecurity threats. Companies must also describe the roles of the board of directors and other corporate officers in overseeing cyber risk management, including management’s role and expertise in assessing and managing material risks from cybersecurity threats. Boards have been becoming more cyber-savvy over the past decade, and this is likely to accelerate that trend.

The net effect of these new rules will be to put companies on record about their cyber plans — or lack thereof. While it will satisfy the SEC regulation to say ‘none’ in response to the SEC questions on cyber preparation, a negative response is less likely to be satisfactory to investors and shareholders. One of the goals of the 2023 National Cyber Strategy was to provide transparency in the marketplace about cybersecurity. While much of the focus has been on products (the Federal Communications Commission’s Cyber Trust Mark initiative) or processes (the Secure Software Development Framework created by the National Institute of Standards and Technology and others), this new SEC rule starts to bring greater transparency to organizational-level cybersecurity and resilience.

How can all this get done?

All of this context is important because it underscores how important it will be for the private sector and the public sector to work together. Collaboration has always been a critical component to cyber security readiness and the SEC’s new cyber rules are no exception.

For the SEC’s part, the financial regulator made a good faith effort to listen to industry and other experts on how to improve the regulator’s draft rule back in March 2023. For example, the scope of information to be disclosed was narrowed to avoid providing information that could help threat actors or impede voluntary information sharing between companies.

The FBI also lent a hand in both clarifying and offering guidance around the four-day disclosure mandate and how victims of cyber breaches can request disclosure delays for national security or public safety reasons. This includes guidance on how and when to notify the FBI.

The recommendations aren’t just procedural, either. The FBI offers pre-emptive, relationship-building guidance such as establishing a relationship with the cyber squad at the closest local FBI field office before an incident and participating in collaborative information sharing activities like Infragard.

And since this is a team effort, industry must do its part as well to refine how it responds to a breach, addressing not just technical issues of incident investigation and response, but also outlining an organizational playbook for response with different roles for different parts of the organization. When a significant — or to use the SCC’s term, material — breach happens, organizational elements far beyond CISOs and the security teams that run day-to-day security operations have equities and become involved in the response.

Planning will be key for organizations. As companies revise their cyber incident reporting strategies around the new SEC rules, it’s critical that they ask questions of federal agencies when clarity is needed. The SEC, Cybersecurity and Infrastructure Security Agency and other agencies are there to help and that’s best done before a breach occurs. While it can sometimes seem like government requirements are burdensome and intrusive, I know from experience that these agencies genuinely truly want to make the digital world safer for everyone.

Jim Richberg is head of cyber policy, global field chief information security officer at Fortinet, and a Fortinet Federal Board Member.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.