The Securities and Exchange Commission has given regulated entities a steady stream of new rules to comply with and often complain about. Since last December, registrants’ cybersecurity challenges have been compounded by having to disclose material breaches within as few as four business days, and to include in annual reports details about such incidents and how cyber risks are being managed.
In May, amendments were adopted to SEC Regulation S-P calling for written policies and procedures on how financial firms deal with unauthorized access to customer information. “The basic idea for covered firms is, if you’ve got a breach, then you’ve got to notify. That’s good for investors,” said SEC Chair Gary Gensler.
The four-day rule sounded draconian to some. The concerns were at least marginally mollified by when the clock starts ticking: only at the point when an incident’s impact is determined to be material. (See In the SEC’s Cyber Disclosure Rules, Timing Is a Sticking Point)
However, there is more than just the SEC’s cyber-related mandates to contend with.
At a July 25 hearing of a cybersecurity-focused subcommittee of the House Oversight Committee, Patrick Warren, vice president, regulatory technology of the Bank Policy Institute’s BITS technology division, testified that at least “eight distinct cyber incident reporting requirements” were applicable to financial institutions and “further complicated by the SEC’s recent public-company disclosure rule.”
CISA’s Jeff Greene: Reporting is a common good.
These included having to report to the Federal Housing Administration within 12 hours of detection, to primary banking regulators within 36 hours, and to Ginnie Mae within 48 hours. Pending implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which is applicable to multiple industries, there will be another, 72-hour requirement to report to the Cybersecurity and Infrastructure Security Agency (CISA).
Ahead of a mandatory rule expected by the first quarter next year, CISA currently invites voluntary reporting via an online portal. “Any organization experiencing a cyberattack or incident should report it – for its own benefit and to help the broader community,” Jeff Greene, CISA executive assistant director for cybersecurity, said on August 29.
“Compiling all those reports – similar but distinct reports – takes a lot of time for front-line cyber personnel, which leaves less time” for resolving the incidents, BPI’s Warren stated.
The overlaps have prompted calls for “harmonization.” One approach could be “to have a single clearinghouse for reporting an incident, either operated within a federal agency such as CISA, or by an independent third party on behalf of the federal government,” Charles Clancy, chief technology officer of MITRE, suggested to the House Oversight subcommittee.
The Streamlining Federal Cybersecurity Regulations Act, a bill introduced by Senators James Lankford, Republican of Oklahoma, and Gary Peters, Democrat of Michigan, would “address the challenges associated with multiple regulatory regimes by establishing an interagency Harmonization Committee at the Office of the National Cyber Director,” said an August 5 press release.
Harmonizing the various reporting requirements across sectors is a stated priority of the Department of Homeland Security (CISA’s parent agency), as reported by Federal News Network.
Reporting burdens are seen as exacerbated by tight deadlines – and some observers raise questions about effectiveness and cost-benefits.
The “avalanche” of disclosures some had expected has not materialized, says Katell Thielemann, distinguished VP analyst at research firm Gartner. “The quality of disclosures is uneven – some go into details while others stick to a sentence or two.”
Gartner’s Katell Thielemann: Disclosure quality “uneven.”
“We need to take a closer look at why the SEC made this move,” says Stephen Gates, principal security subject matter expert at Horizon3.ai. “Was it about punishing and publicly shaming companies that got breached, or was it about protecting investors, shareholders and customers?”
After CIRCIA was enacted in 2022, CISA Director Jen Easterly said, “This is not to name, to shame, to blame or stamp the wounded. We are here to render assistance, and then to get information that we can share with our partners while protecting privacy and protecting the victim.”
Some critics are concerned that word of an incident will spread before its scope and impact are fully understood. In effect, that could place a target on the back of the affected firm, as Gates puts it.
“On the whole, you don’t know very much about a breach in 72 hours,” says Bryan Cave Leighton Paisner partner Christian Auty. “Sometimes you are still unsure if the threat is ongoing or has been neutralized.”
Underscoring its seriousness, the SEC followed its cyber-incident rulemaking with reinforcing and clarifying statements. One in May by Erik Gerding, director of the Division of Corporation Finance, covered voluntary disclosures and materiality. His aim was “to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures [in Form 8-K] regarding material cybersecurity incidents.”
“Given the prevalence of cybersecurity incidents,” Gerding said, “this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material, and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents, will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.”
Also in May, the SEC announced a $10 million settlement with New York Stock Exchange parent Intercontinental Exchange over a failure to inform the agency of a cyber intrusion in 2021, as required by Regulation SCI (Systems Compliance and Integrity).
SEC’s Gurbir Grewal: “Every second counts.”
Division of Enforcement Director Gurbir S. Grewal said immediate notification of intrusions allows for swift steps to be taken “to protect markets and investors . . . [The respondents] instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts, and four days can be an eternity.” The order and penalty “not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”
When Equiniti Trust Co. agreed in August to pay an $850,000 civil money penalty to settle charges related to cyber intrusions in 2022 and 2023, Monique C. Winkler, director of the SEC’s San Francisco Regional Office, said, “American Stock Transfer & Trust Co. [as Equiniti was formerly known] failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets.”
In one incident, the transfer agent followed bogus instructions to send $4.78 million to bank accounts in Hong Kong. That jurisdiction, coincidentally, was recently embroiled in controversy over proposed legislation to authorize fines of up to HK$5 million for cybersecurity lapses. Bloomberg reported that U.S. firms were concerned that the government could gain “unusual access” to computer systems, though that was denied by Hong Kong officials.
With the CIRCIA regulations looming, the American Bankers Association, Bank Policy Institute, Institute of International Bankers and Securities Industry and Financial Markets Association said in a joint letter in June that CISA was failing at providing “regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack.”
To avoid “moving forward with another requirement that prioritizes routine government reporting over the security needs of firms,” the associations requested: limiting the scope of reporting to “substantial incidents that affect critical services”; focusing data collection “on what companies ‘need to know’ to prevent contagion”; clarifying and reducing supplemental reporting requirements; and shortening the time that firms are required to keep forensic data.
Gates of Horizon3.ai says he understands CISA’s intent but agrees with the associations that cyber defenses could be strained if reporting diverts energies that need to be directed toward recovering from, and identifying the source of, an attack.
Gates also points out that a network can remain vulnerable even after a breach is discovered, as has occurred in ransomware attacks. “Sounding the alarm too early can lead to various complications,” he warns. “Most attacks are not simple smash-and-grab operations; they often involve prolonged engagement within the network.
Horizon3.ai’s Stephen Gates: The importance of timing.
“If the attackers realize they’ve been caught, they might speed up their efforts, cause more damage, or leave a mess behind, especially when ransom-related outages and downtime are involved. This would be a worst-case scenario.”
What’s more, sounding an alarm too soon can negatively impact the forensic work needed to assess and analyze the damage. Catching intruders in the act can reveal how they got in and yield insights for bolstering defenses, Gates explains.
Mike Lefebvre, director of cybersecurity, SEI Sphere, says, “All cyber incidents are not created equal. While there are commonalities among attack vectors and subsequent business response, every incident has a unique fingerprint. As such, the argument either for or against public-disclosure timelines is not clear cut.
“Arguably, the biggest risk of public-disclosure regulation is the opportunity it gives an attacker to leverage it to their advantage – whether it’s a newfound awareness that they’ve been discovered, a tip to other adversaries of a new prey, or the weaponization of regulation against a victim.”
There is general agreement on the desirability of open dialogue between regulators and industry, addressing such factors as the time it takes to contain various types of incidents and the appropriate level of detail to disclose.
“I don’t believe firms should be forced to publicly disclose an excessive amount of technical detail that may make them more vulnerable to subsequent attacks, but they should disclose enough for affected parties to understand the impact of the incident,” ACA Aponix managing director Kris Lau maintains.
Despite encouragement of intelligence- and information-sharing by CISA and others, the results have been mixed, Gates says. “Highlighting what happened in a breach shouldn’t be viewed as airing your dirty laundry. In fact, it should be seen as the exact opposite.”
“Sharing information allows us to work with our full breadth of partners so that the attackers can’t use the same techniques on other victims, and can provide insight into the scale of an adversary’s campaign,” CISA’s Greene said.
Acknowledging adversaries’ resourcefulness, Gates describes cybersecurity as “resembling a cat-and-mouse game,” with an accompanying dilemma: Public disclosure of a cyber vulnerability might be seen as an invitation to exploit it. On the other hand, withholding information about root causes can cause a different kind of danger.
Gates stresses the importance of adhering to industry best practices and guidelines, “to demonstrate due diligence and enforce the concept of due care, taking the actions that any reasonable person would in similar circumstances.
“All industries must move beyond the old-school, compliance-based mindset,” the Horizon3.ai expert continues. “They need to make a complete shift, focusing on conducting realistic, adversarial assessment exercises to prove their readiness to fend off real cyberattacks. With the advancements in AI-based, autonomous assessment solutions available today, performing daily self-assessments is a critical step toward ensuring you’re prepared for anything.”
Jeffrey Kutler of GARP contributed reporting for this article.