Missed a session at the Data Summit? View here on demand.
New rules proposed by the U.S. Securities and Exchange Commission (SEC) that would force rapid disclosure of major cyberattacks are expected to dramatically improve security posture at U.S. companies, cyber industry executives told VentureBeat.
The proposed SEC rules include a requirement for publicly traded companies to disclose details about a “material cybersecurity incident” — such as a serious data breach, ransomware attack, data theft or accidental exposure of sensitive data — in a public filing. And under the proposed rule, the disclosure would have to be made within just four business days after the company determined the incident was “material,” the SEC said.
While the SEC’s main motive is to provide investors with more information about corporate cyber risk, increased planning and spending on security by many U.S. companies are likely results, cyber executives said.
“The truth is, compliance is by far the greater driver of cybersecurity than the desire to be more secure,” said Stel Valavanis, founder and CEO of OnShore Security, a managed security services company.
‘They’re going to spend more money’
The proposed SEC regulation doesn’t necessarily describe a required improvement in corporate security posture, but “the visibility it requires will have that effect,” Valavanis said.
In other words, “yes, they’ll spend more money to avoid ever having to disclose a breach,” he said. “But they will also do things smarter so that they have the data and the process to more accurately assess a breach and report its impact. For me that is a game-changer.”
Karthik Kannan, CEO of Anvilogic, a cyber threat detection company, agreed, saying that “regulation and compliance make for better attitudes – which in turn always translates into more investment.”
Specifically, the new rule around disclosure of “material” cybersecurity incidents would require filing an amended Form 8-K with the SEC.
Other proposed SEC rules would require publicly traded companies to provide updated information about cybersecurity incidents that had previously been made public, as well as the disclosure of a series of past cyber incidents determined to add up “in aggregate” to materially impacting the company.
In a press release, SEC Chair Gary Gensler called cybersecurity “an emerging risk increasingly facing public issuers.”
“Investors want to learn more about how issuers manage those growing risks,” Gensler said. He noted that while some publicly traded companies are already disclosing such information to investors, “both companies and investors would benefit” from consistent and comparable disclosure of cyber incidents.
The SEC said the comment period on the new rules will last 60 days, or until May 9.
The proposed rules are a “good move” by the SEC, as the current rules “essentially allowed companies to release this critical information of their own accord,” said Ray Kelly, a fellow at NTT Application Security.
This has, of course, led to many incidents not being disclosed or not being disclosed in time.
“While we are unable to determine the number of material cybersecurity incidents that are not disclosed or not disclosed in a timely manner, staff observed certain cybersecurity incidents reported in the media but not disclosed in a registrant’s records. the SEC said in a document on the proposed rule.
In terms of what constitutes a “material” cybersecurity incident, the SEC cited several previous cases. From the SEC’s paper on the proposed rules:
Information is material if “there is a significant likelihood that a reasonable shareholder would find it important” in making an investment decision, or if it would have “significantly changed the ‘overall mix’ of information made available.”
In the document, the SEC listed some examples of cybersecurity incidents that could meet the criteria to be “material”:An unauthorized incident that has compromised the confidentiality, integrity or availability of an information resource (data, system or network); or violated the registrant’s security policies or procedures. Incidents can result from the accidental exposure of data or from a deliberate attack to steal or modify data; An unauthorized incident that has caused degradation, interruption, loss of control, damage or loss of operational technology systems; An incident in which an unauthorized party has gained access, or a party has breached authorized access, and altered or stolen sensitive business information, personally identifiable information, intellectual property, or information that resulted in or could result in loss or liability to the registrant; an incident where a malicious actor offered to sell or threatened to sell sensitive company data; or An incident where a malicious actor has demanded payment to recover company data that has been stolen or altered.
The proposed rule changes are an important step toward greater cybersecurity transparency and accountability, said Jasmine Henry, field security director at JupiterOne, a cyber asset management and governance solutions company.
“It’s a public recognition that security is a basic human right and that organizations have an ethical responsibility to their shareholders to proactively manage cyber risk,” Henry said.
In particular, Henry said she is encouraged by the SEC’s focus on cyber incident recovery in the proposed rules. As part of the regulation, the SEC would be required to disclose whether companies have plans in place for business continuity, contingency and recovery in the event of a major cybersecurity incident.
“Applying meaningful change is the most important part of learning from a cybersecurity incident,” Henry says.
As for incident response (IR), organizations will need to ramp up their IR plans if SEC rules are eventually passed, according to Joseph Carson, chief security scientist at Delinea, a privileged access management company.
Currently, four days after a data breach was discovered, many organizations are “still trying to identify the impact,” Carson said.
That’s why many security teams would have to move to a position of “IR-ready” if SEC rules are passed, he said.
Brian Fox, CTO of application security firm Sonatype, said he questions whether a four-day disclosure requirement is the right amount of time.
In severe attacks, companies are usually still in triage and response mode at that point — where enough details aren’t yet known, Fox said. That could potentially lead to misreported information, he said.
In general, however, “greater transparency will lead to more accountability and investment in good security within organizations,” Fox said.
If the rules are passed and companies find themselves in a “struggle to validate their attitudes,” many will realize that “their security solutions are underperforming,” said Davis McCarthy, principal security researcher at Valtix, a cloud-native network security firm.
“Businesses will want to pay off their risk,” McCarthy said, which could further accelerate the shift to cloud platforms that take responsibility for securing hardware infrastructure.
Another notable part of the proposed rules is a section that would require disclosure from any board member with expertise in cybersecurity. That could show whether a company’s board of directors has “the right people doing the work,” McCarthy said.
Overall, the adoption of these rules should have a positive impact on cybersecurity as a whole, executives said.
“More reporting on cyber behavior and what businesses use for risk management will undoubtedly lead to additional investment in this area,” said Padraic O’Reilly, co-founder of cyber risk management company CyberSaint.
And “it’s about time,” said Alberto Yepez, co-founder and director of venture firm Forgepoint Capital — given the many indications that companies’ general safety stance is going in the wrong direction.
For example, 83% of organizations experienced a successful email-based phishing attack in 2021, compared to 57% the year before, according to Proofpoint. Meanwhile, data breaches related to ransomware have increased by 82% in 2021 compared to 2020, data from CrowdStrike shows.
Hopefully, with the new cyber-attack disclosure requirements proposed by the SEC, “this is the start of a tsunami of corporate governance changes,” Yepez said.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more
This post ‘Game-changer’: SEC cyber disclosure rules would boost security planning and spending was original published at “https://venturebeat.com/2022/03/10/game-changer-sec-rules-on-cyber-disclosure-would-boost-security-planning-spending/”