It’s February 16th, 2024 and time for Point of View Friday, where we cover a single topic from multiple perspectives. Today’s point of discussion is the Securities and Exchange Commission’s change in cybersecurity disclosure rules. We have perspectives today from Trac Bannon in Camp Hill, Pennsylvania, Olimpiu Pop from Transylvania, Romania, and Katy Craig in San Diego, California. We’ll start with Trac Bannon

 

Point of View Friday: The Securities and Exchange Commission’s change in cybersecurity disclosure rules.

 

Tracy (Trac) Bannon
SEC’s New Cybersecurity Disclosure Rules: A Double-Edged Sword?

The Securities and Exchange Commission, SEC, has recently mandated a seismic shift in how companies disclose cybersecurity incidents. But are the new cybersecurity disclosure rules a double-edged sword?

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

This new directive, itemized under 1.05 of form 8-K, requires firms to publicly announce significant cybersecurity breaches within four business days of their recognition AND companies are obligated to divulge their cybersecurity management strategies every year. They also must identify the executives responsible for the policies. They have to name names.

Gary Gensler, the chairman of the SEC, says that just like investors should know if a company’s factory burns down, they should know if a company has had a major cybersecurity problem. The intent is to bolster investor awareness and confidence. Now corporations must tell the public, mostly for the investors, whenever they have a significant incident. This part makes sense. They also have to share details of how they handle the cybersecurity risks and who is in charge of it every year. However, the practicality and efficacy of these rules in enhancing cybersecurity may not be as black and white as the SEC suggests.
Under these guidelines, not only do companies need to report actual incidents, but they also have to reveal the response plans in an annual 10-K filing, as per regulation S-K Item 106. This requirement extends to foreign companies with US investors who must also adhere to similar disclosure standards through the forms 6-K and 10-K. A lot of forms, a lot of information.

Yet the definition of “material” cybersecurity incident remains nebulous. This leaves companies in a quandary about what precisely warrants disclosure.
Then there’s the potential conflict with national security interests. That’s right. The US Attorney General could delay disclosure to safeguard national security. From a critical standpoint, these regulations appear to be well-intended. That said, they may not be as beneficial as they appear. They add more red tape and could expose sensitive information that might help the threat actors.

Here’s a silly yet relevant example. Imagine the KanSaaS City Chiefs publicly announcing their Super Bowl game plans. That info might have helped the Forty-Niners and altered the outcome of the game. Probably not.

For businesses, the tight deadlines imposed could rush companies to report before they fully understand what happened. Could this lead to panic or misinformation? We shall see.
In essence, these rules exemplify a classic scenario where intervention aimed at solving one problem could unintentionally create several others. The balance between transparency and practical business operations, particularly in the delicate realm of cybersecurity, is precarious. The SEC’s endeavor to foster openness and protect investors could paradoxically impose unwieldy burdens on companies and even jeopardize the very security it seeks to enhance.

Something to noodle on.

Resources
https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214
https://www.sec.gov/news/press-release/2023-139
https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html
https://www.thomsonreuters.com/en-us/posts/government/sec-cybersecurity-rules/
https://www.gibsondunn.com/sec-adopts-new-rules-on-cybersecurity-disclosure-for-public-companies/

 

Olimpiu Pop
The SEC is the US Governmental Organization that actually improves cybersecurity

“Of all the organisations involved in defending the US cyber realm, it is a surprise which is the most successful one. Would you guess which one am I referring to? The Securities and Exchange Commission. Yes, that’s true – it has nothing to do with cybersecurity, technology or cloud. But, you got it has everything to do with the stock exchanges. And the synonym for the stock exchange is money: tons of money. And, unfortunately companies run on money.

Not long ago the SEC charged both SolarWinds and its Chief Information Security Officer with fraud based on decades-old legislation. Lying is still lying even when referring to software or its security.

Now, the attention of the commission moved towards SaaS and SaaS-to-SaaS connections.
Gary Gensler, SECs chair declared:

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

This simply reads: the cyber risks of SaaS are still present, even if they are in the clouds! And I have to agree with him. For far too much time, we acted like the software realm was not real, even though it handles our fortunes, safety and even health. Even though cyber legislation is coming for the whole world, I am certain that the new rules on cybersecurity risk management, strategy, governance and incident disclosure coming from the Securities Exchange Commission will have much more impact. It’s always easier with the carrot, or with threatening to fence the access to it, in this case.

But is the SaaS ecosystem that large to require new rules? According to Statista, by the end of 2022, the average global organisation was using 130 SaaS applications. To extract even more value, typically these SaaS are interconnected and that will grow even more with the rise of Large Language Models Services. For your average CISO, that translates into a more complicated, interconnected and nebulous digital ecosystem to oversee. More than that, there is a huge gap between the SaaS’ perceived security and its security. According to AppOmni’s State of SaaS Security report, 71% of organizations rated their SaaS cybersecurity maturity as mid to high, yet 79% suffered a SaaS cybersecurity incident in the last 12 months.

So, I have to admit that this will probably create more traction in improving cybersecurity. Mostly, because it touches on the right pedals: the CEO and CFO are the ones who usually look at what SEC has to say and if they are talking about cybersecurity and incidents, the decision-makers will finally listen. Olimpiu Pop, reported from Transylvania, Romania.

Resources
https://www.sec.gov/news/press-release/2023-139
https://thehackernews.com/2024/01/the-sec-wont-let-cisos-be-understanding.html
https://www.forbes.com/sites/forbestechcouncil/2024/01/08/how-sec-action-could-shake-up-cybersecurity
https://appomni.com/saas-security-report-2023-sspm

 

Katy Craig
New SEC Rules Tighten the Noose on Cybersecurity Accountability

In a groundbreaking move, the Security and Exchange Commission, SEC, laid down the law on cybersecurity, sending a clear message to public companies: no one is above accountability, especially when it comes to protecting consumer data.

This Katy Craig in San Diego, California.

With cybersecurity incidents making headlines and shaking investor confidence, the SEC’s new mandates are a game-changer, underscoring the critical importance of cyber incident disclosures and cybersecurity readiness, irrespective of where the data resides, be it on-premises, in the cloud, or within SaaS environments.

This shift signifies a monumental step forward in how cybersecurity is managed and reported. The SEC’s stance is unambiguous. “We do not believe that a reasonable investor would view a significant data breach as immaterial, merely because the data are housed on a cloud service.” This perspective challenges companies to rethink their cybersecurity strategies, emphasizing that the security of third- and fourth-party applications is just as critical as that of in-house systems.

The recent charges against SolarWinds and its Chief Information Security Officer for Fraud, highlight the urgency of these new requirements. It’s a stark reminder that when it comes to cybersecurity breaches, the buck stops at the top. The era of passing the blame down the ladder is over. Now, CISOs and senior executives must shoulder the responsibility for any cybersecurity lapses.

Why is this important? Because cybersecurity is not just an IT issue, it’s a business imperative. In today’s digital age, a single breach can tarnish a company’s reputation, erode customer trust, and lead to significant financial losses. The SEC’s updated mandates are not just about ensuring companies have robust cybersecurity measures in place, they’re about making sure that those at the helm are actively involved in safeguarding their company’s digital assets.

This evolution in regulatory oversight is a clarion call for all public company executives. It’s no longer sufficient to delegate cybersecurity responsibilities and hope for the best. From the CISO to the CEO, accountability must be embraced at every level.
As the SEC tightens its grip on cybersecurity compliance, it’s time for corporate leaders to step up and prove that they’re capable of protecting not just their data, but also their investors and customers.

In conclusion, the SEC’s new cybersecurity mandates are a pivotal moment for corporate America. They underscore the need for a top-down approach to cybersecurity, where senior leaders are not just aware of the threats, but are actively engaged in defending against them. The wake-up call that in the digital battlefield. Everyone from the CISO and hire is on the front lines. This is Katy Craig. Stay safe out there.

 

Hillary Coover: Thanks for listening to Point of View Friday. If you like what you heard, please subscribe to it’s 5:05 on your favorite podcast platform. It’s 5:05 is a Sourced Network Production based in New York City. This is your host, Hillary Coover. Have a great weekend.