The Securities and Exchange Commission (SEC) last week voted on a set of new cybersecurity disclosure rules for public companies, which require registrants to disclose a cybersecurity incident within four business days of identifying whether it may be material.
In a statement, the SEC said, “Some companies already disclose material cybersecurity incidents while they are ongoing and before they are fully remediated, but the timing, form, and substance of those disclosures are inconsistent. To that end, and to balance investors’ needs with the concerns raised by commenters, we are streamlining Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident rather than on requiring details regarding the incident itself.”
And while a lot has already been said in response – and in an effort to summarize the 186-page ruling – the question remains: are the rules fair?
Cybersecurity leadership reacts
When the SEC first proposed the cybersecurity disclosure rule in March 2022, they included the requirement that boards of directors would need to disclose the extent of their cybersecurity expertise. At the time, the CISO community reacted with applause. For years, CISOs and other security leaders have fought for a seat at the board table in an effort to better educate executives on the importance of cybersecurity and risk management. According to Lenny Zeltser, CISO at Axonius, this aspect of the proposed rule “would have motivated boards to develop an understanding of cybersecurity” and would enable security leaders to finally gain the executive buy-in they’ve been fighting for.
This requirement, however, didn’t end up making it into the final rule. In response, some proclaimed, “the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability." But Zeltser saw a silver lining in parts of the finalized rule.
“We gained several cybersecurity-reinforcing requirements included in the final SEC rule,” he said. “It requires public companies to document ‘the board's oversight of risks from cybersecurity threats.’ Such disclosures will allow investors to understand the extent of the board's involvement in cybersecurity.”
Zeltser said this still offers an incentive to board members to pay attention to cybersecurity because the requirement to promptly report material cybersecurity incidents increases the desire to minimize incidents occurring in the first place.
In an interview with CRN, PricewaterhouseCooper Partner Joe Nocera also shared his opinion on the matter. “I do think that was a welcome change,” he said. “Many boards were worried about, ‘Do we have to go out and put a cyber expert on our board?’ It seems clear that was a bit of an overstep.”
Now, because the rule requires companies to disclose their cybersecurity risk management process, cybersecurity leaders are the ones to gain an advantage. It will be much easier for them to align their cybersecurity strategy with that of their organization's business goals.
Is four days realistic?
In recent years, numerous countries including the U.S., have imposed mandatory cyber incident reporting requirements. In fact, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires critical infrastructure owners to report certain cybersecurity incidents to CISA within 72 hours – one day less than the SEC’s rules.
But the problem isn’t that companies aren’t being given enough time to report on incidents (let’s face it, little progress can be made figuring out how and where a cybersecurity incident impacted your company in three days, four days, or even 14). Instead, the issue is that few companies have continuous, up-to-date asset data. And because of that, it can take days, if not weeks, to identify which assets were affected in the first place.
In a statement published by Infosecurity Magazine, SumoLogic CSO George Gerchow shared, “This ruling is a great step towards achieving accountability, to protect the consumers and the investor community. The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days.”
Zeltser cautioned against misinterpreting the timeline. “Some cybersecurity professionals say that the new rule requires public companies to disclose material security incidents within four days,” he said. “This isn't quite right. The rule says that the company needs to file the incident-disclosing form ‘within four business days of determining an incident was material,’ a determination the company must make ‘without unreasonable delay.’”
Zeltser continued, “The reference to ‘business’ days gives companies some time. Moreover, the timer starts not after the company detected the incident, but after it determined that the incident was material. This sounds reasonable to me. An important note regarding this, though: The determination of what constitutes a material security incident and what's considered undue delay should be made by legal professionals, not cybersecurity leaders.”
Where cybersecurity asset management fits in
An expected benefit to the SEC ruling is that public companies will likely decide to invest more heavily in cybersecurity over the coming months. But how companies choose to invest will ultimately determine how well they meet the requirements.
Responding quickly when incidents occur is imperative. But speed can only be achieved when an up-to-date, comprehensive asset inventory can help security analysts correlate alerts, understand the relationship between devices and users, and look both at the current and historical state of an IT asset. In other words, cybersecurity asset management is critical to incident response.
For example, consider the Apache Log4Shell vulnerability of 2021. The most immediate and effective mitigation for Log4Shell was to upgrade to patched versions of Log4j 2. But first, enterprises needed to know if they were impacted. With a cybersecurity asset management platform like Axonius, security and IT teams found the existence of Log4j in their environment by searching for Log4j as installed software, or by identifying the specific CVE provided that a recent vulnerability scan has been performed across the environment.
The time spent tracking down assets to resolve security incidents is costly, not only in terms of hours spent completing the task, but also the additional risk that may be posed while incidents remain unresolved. The SEC final rules will become effective 30 days following publication in the Federal Register, and Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. That leaves just four and half months to improve incident response processes — and it starts with asset management.