In the SEC’s Cyber Disclosure Rules, Timing Is a Sticking Point

Assessment and reporting of cybersecurity incidents, long ingrained as risk-management and business-continuity imperatives, have gotten even closer scrutiny at companies subject to Securities and Exchange Commission cyber disclosure requirements. A rule that took effect in December, mandating release of information on a material breach within four business days, magnified complaints about its complexity, costs and consequences.

In addition to the four-day rule, which applies when there may be significant impact on a listed company’s operations or financial condition, annual disclosures are now required regarding cyber risk management, strategy and governance.

The financial services industry, which is widely regarded as among the most experienced and best prepared in cybersecurity and has supported public- and private-sector strategic and policy cooperation, is less on board with the four-day deadline. Heather Hogsett of the Bank Policy Institute’s BITS technology division summarized the objections in a blog article that argued for reconsideration:

 Heather Hogsett of Bank Policy Institute

“In some cases, disclosure [of an incident’s nature, scope, timing and likely effects] would do serious harm to the firm – something a reasonable investor would certainly not want. Most importantly, it means divulging to attackers around the globe how the firm has been affected and how it is responding, giving hackers valuable information to help plan their next attack. It also means the company’s first responders will be diverted from fighting the attack to, instead, working on securities disclosures.”

Hogsett criticized an exception in the rule – allowing extensions up to 120 days if authorized by the attorney general for national security or public safety reasons – saying that “virtually no company will be able to avail themselves of this disclosure delay.”

Eric Gerding, director of the SEC Division of Corporation Finance, in a December statement, said the commission had responded to concerns raised during the rulemaking process, and sought to encourage “timely engagement” with law enforcement and cybersecurity authorities, thus allowing flexibility from the “fixed timeline.”

The overall objective, Gerding said, was to update previous SEC guidance with new rules “provid[ing] investors with the more timely, consistent, comparable and decision-useful information they need to make informed investment and voting decisions.”

When Does the Clock Start?

The four-day timeframe is commonly misunderstood, says Andrew Walls, a Gartner vice president and distinguished analyst. The clock starts once materiality has been determined, not at the time of an incident. And it might go days, weeks or even months before it is even detected.

The evaluation of materiality may take longer than four days, although it should not be delayed unreasonably, Walls adds.

“Gartner does not view the four-day timeframe as onerous,” Walls says. “Detection and evaluation of a cybersecurity incident is a high-priority task for cybersecurity teams. Rapid escalation of events that exceed internally defined impact thresholds is a standard component of mature cybersecurity incident response management programs.”

 Ezra Church of Morgan Lewis

In total, the SEC rule “makes clear that the efficacy of a corporation’s cybersecurity program has a direct impact on the market value of the corporation,” Walls goes on. “Linking the efficacy of cybersecurity investment to corporate value is a net positive for corporations and cybersecurity teams.”

Ezra Church, a Morgan, Lewis & Bockius partner and leader of the firm’s Privacy & Cybersecurity Litigation Practice, points out that “there was extensive comment” on the four-day rule proposal. He says it “is certainly a tight timeline” and agrees it is important that “the time period runs from determination of materiality, not from the incident itself.”

In Church’s view, the SEC sought to avoid early disclosure causing information risk and limited the information that has to be disclosed, while allowing for the national security or public safety exceptions.

Who Is Accountable?

Walls acknowledges that there remains some ambiguity regarding the depth of information required in disclosures. Also still in question is who within a corporation should be involved in the assessment of materiality, and who in the hierarchy would be held responsible for disclosures that the SEC deems inadequate or unsatisfactory.

“Conversations with Gartner’s clients reveal that there is widespread concern about the personal liability of the CISO [chief information security officer] or cybersecurity leader regarding the completeness and accuracy of incident disclosures to the SEC,” Walls says.

 Andrew Walls of Gartner

The issue of individual accountability has arisen in the CISO community because of the criminal conviction on federal charges of a former Uber chief security officer because of the handling of a 2016 data breach.

“Our recommendation,” says Walls, “is that senior cybersecurity leaders discuss the issue of their liability with corporate counsel, investigate whether the CISO should be covered by D&O liability insurance and, possibly, engage private counsel for advice on their personal exposure under the SEC rules enforcement program.”

Defining “Assessments”

Some definitions of terms need to be clarified, according to Stephen Gates, principal security expert at Horizon3.ai. He notes that “assessment” – the process of determining and communicating exposure to and management of cyber threats – “could mean many different things.”

For example, organizations doing comprehensive self-assessments would be able to better prove they are performing due diligence and due care in the event of a cyber incident – especially if done continuously.

Continuous self-assessments should go beyond ordinary vulnerability scans, penetration tests or check-box exercises, Gates continues. Whether in the form of manual or automated adversarial links – think red teams - they would enable an organization to uncover truly exploitable weaknesses, remediate them promptly, verify that risk has been reduced and track improvement over time.

Conducted internally or through a third party, and with effective technology, continuous self-assessments “would not only fare better in the event of a targeted cyber attack, but may also [result in] lower or slower-growing cyber insurance premiums,” Gates says. Thus it’s “a win-win for publicly traded companies, their clients, their investors, and all industries as a whole.”

Planning and Governance

A key message coming through the SEC policy, says Church of Morgan Lewis, is the need for advance planning. That includes designating an incident response team with internal and external advisers on call, having and following an incident response plans, and staying sharp with tabletop exercises.

Gartner analyst Walls sees the SEC rule as part of a global regulatory trend. Multiple federal, state and provincial governments already have such disclosure rules in place and are adding some to address significant security incidents.

“Transparency is now the norm for cybersecurity incident response,” Walls stresses. “As such, it behooves every organization – not just those that report to the SEC – to maintain effective cybersecurity risk management programs which include robust management of security incidents.”

Although there is no codified requirement for cybersecurity representation at the board level, there is an implicit expectation that senior corporate executives be sufficiently informed about cybersecurity to guide the assessments of materiality.

“A lack of appreciation for the pervasive reach of cybersecurity issues may limit the accuracy or appropriateness of materiality assessments and consideration of cybersecurity investment strategies to prevent material incidents,” Walls concludes.

Michael Lefebvre, director of cybersecurity at SEI Sphere, asserts that the SEC rule is just a starting point and “will have to evolve . . . The public focus has been on the mandatory disclosure part,” which he believes distracts attention from management strategy and cyber risk governance.

“I understand the SEC rationale is on the breach disclosure side because something material has happened that could impact revenues for an organization, and the shareholders should know,” Lefebvre continues. “But I want to know what's happening to prevent that breach in the first place.”