‘Game-changer’: SEC rules on cyber disclosure would boost security planning, spending

Did you miss the session at the Data Summit? See on-demand here.


New rules proposed by the US Securities and Exchange Commission (SEC) that would force the immediate release of major cyber attacks are expected to dramatically improve the security situation in US companies, cyber industry officials told VentureBeat.

The proposed SEC rules include a requirement for publicly traded companies to disclose details of a “public cyber security incident” – such as a serious data breach, ransomware attack, data theft or accidental exposure to sensitive data – in public filings. And under the proposed rule, the company would need to be notified within four working days of determining if the event was “content,” the SEC said.

While the SEC’s main purpose is to provide investors with more information about the corporations’ cyber risk, there are potential consequences for planning and security costs incurred by many US companies, cyber executives said.

“The truth is that compliance is the biggest driver in cyber security, rather than wanting to be more secure,” said Stal Walawanis, founder and CEO of managed security services firm Onshore Security.

‘They will spend more money’

The proposed SEC regulation does not spell out the required extra in the security posture of corporations, per se – but will “affect the visibility it needs,” Valvanis said.

In other words, “yes, they will spend more money to never reveal the violation,” he said. “But they will also do it in a much smarter way allowing data and processes to more accurately evaluate violations and report impact. For me, it’s a game changer.”

Karthik Kannan, CEO of cyber threat detection firm Envilogic, agreed and said that “rules and compliance lead to a better posture – which in turn always translates into more investment.”

In particular, a new rule for disclosing “content” cyber security incidents would require filing a revised Form 8-K with the SEC.

Other proposed SEC rules would require publicly traded firms to provide updated information about cyber security incidents that were previously disclosed – as well as disclosure of a series of previous cyber incidents that have been added “overall”. Physical impact on the company.

Improve transparency

In a news release, SEC Chairman Gary Gansler described cyber security as “an emerging threat that public issuers must increasingly struggle with.”

“Investors want to know more about how issuers handle those increased risks,” Gansler said – noting that while some publicly traded companies are already disclosing such information to investors, there is a need for consistent and comparable disclosure of cyber events. Companies and investors alike will benefit. “

The SEC said the comment period on the new rules would last 60 days or until May 9.

Ray Kelly, a colleague at NTT Application Security, said the proposed rules are a “good move” by the SEC, although current rules allow companies to “disclose this critical information” on their own terms.

This, of course, meant that many events were not immediately announced – or at all.

“While we are unable to determine the number of content cyber security incidents that are either not being disclosed or not disclosed in a timely manner, the staff observed some cyber security incidents that were reported in the media but were disclosed in the registrar’s filing. Was not. The SEC said in a document on the proposed rule.

‘Material’ phenomenon

The “SEC” cites a number of past cases regarding the creation of a “content” cyber security incident. From the SEC document on the proposed rules:

Information is content if “there is a significant probability that a reasonable shareholder considers it important” in making an investment decision, or if it has “significantly altered the ‘total mix’ of available information.”

In the document, the SEC has provided numerous examples of cyber security incidents that may fit the criteria for being “content”:

  • An unauthorized event that compromises the privacy, integrity or availability of information resources (data, system or network); Or violated the registrant’s security policies or procedures. Incidents may arise from accidental exposure to data or from intentional attacks to steal or modify data;
  • An unauthorized event that causes degeneration, disruption, loss of control, damage or loss to an operational technology system;
  • Incident in which an unauthorized party has accessed, or a party has exceeded, and modified, the authorized access, or has stolen sensitive commercial information, personally identifiable information, intellectual property, or information resulting in loss or Liability can occur. Registration;
  • An incident in which a malicious actor made a sale offer or threatened to disclose sensitive company data; Or
  • An incident in which a malicious actor has demanded payment for restoring company data that was stolen or altered.

Jasmine Henry, field security director at cyber asset management and governance solutions firm JupiterOne, said the proposed rule reforms are an important step towards increasing transparency and accountability in cyber security.

“It is a public belief that security is a fundamental right and that organizations have a moral responsibility to their shareholders to actively manage cyber risk,” Henry said.

Event recovery

In particular, Henry said she is encouraged by the SEC’s focus on cyber incident recovery in the proposed rules. As part of the regulation, the SEC will need to disclose whether companies have assembled plans for business continuity, contingency and recovery in the event of a major cyber security incident.

“Implementing meaningful change is the most important part of learning from a cyber security event,” Henry said.

As far as incident response (IR) goes, organizations will need to move their IR plans forward if SEC rules are adopted, according to Joseph Carson, chief security scientist at the specialized access management firm Delina.

Currently, four days after the discovery of the data breach, many organizations are “still trying to identify the impact,” Carson said.

Thus, many security teams will need to shift to an “IR-ready” position if SEC rules are adopted, he said.

Brian Fox, CTO of application security firm Sonatype, said they questioned whether the four-day announcement was the right time.

Too short?

In severe attacks, companies are still in Triage and Response mode at the moment – where not enough details are known yet, Fox said. That could potentially lead to misinformation, he said.

In general, however, “greater transparency will lead to greater accountability and investment in appropriate security in institutions,” Fox said.

If the rules are adopted, and businesses “end up fighting to get their money’s worth,” many will realize that “their security solutions are underperforming,” said Davis McCarthy, chief security researcher at cloud-based network security services firm Voltix. Said.

“Companies will want to offload their risk,” McCarthy said, adding that shifting to cloud platforms could further accelerate the responsibility of securing hardware infrastructure.

Another notable component of the proposed rules is a section that would require the disclosure of any board member with expertise in cyber security. It will likely highlight whether “the right people are working on the company’s board,” McCarthy said.

‘About time’

Overall, the adoption of these rules should have a positive impact on cyber security as a whole, executives said.

“Increasing reporting on what companies are using for cyber posture and risk management would be an additional investment in this area,” said Pedrik O’Reilly, co-founder of cybersecurity management firm Cybersec.

And Alberto Yapez, co-founder and managing director of venture firm Forgepoint Capital, said: “The time is near,” given the many signs that the overall security situation in businesses is heading in the wrong direction.

For example, 83% of organizations experienced a successful email-based phishing attack in 2021, up from 57% a year earlier, according to ProofPoint. CrowdStrike data, meanwhile, shows that ransomware-related data leaks have increased by 82% in 2021 compared to 2020.

Hopefully, with the new CyberAttack Disclosure requirements proposed by the SEC, “this is the beginning of a tsunami of change in corporate governance,” Yapez said.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.