It’s been a year since the SEC ruled that public companies were required to disclose cybersecurity breaches within four days of determining if an incident was material, and still, not much has changed, according to George Gerchow, Faculty at IANS Research and Head of Trust at MongoDB.
While organizations are trying to be more transparent, the lack of significant fines or penalties allows “the same bad habits to persist”, he said.
Many large corporations have experienced major incidents and failed to disclose them within the required four days of determining materiality without facing additional penalties, he added.
Having personally experienced two cybersecurity incidents last year, Gerchow can attest that the new rules are a “priority, especially regarding disclosure timing”.
However, these rules also create problems, such as announcing an ongoing attack before having time to mitigate the issue, he added.
“It is hard to mitigate a problem while telling the world you are still vulnerable; this leads to more attacks,” Gerchow told Traders Magazine.
“With an incident or breach, you go down many paths to try and evaluate damage and other potential risks. After disclosing, every threat actor on the planet will start trying to exploit you even further, creating more risk and confusion,” he commented.
So far, there was only one significant fine imposed. On May 22, the Securities and Exchange Commission announced that the Intercontinental Exchange, agreed to pay a $10 million penalty to settle charges that it caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI). Gurbir S. Grewal, Director of the SEC’s Division of Enforcement noted at that time that under Reg SCI, companies have to “immediately notify the SEC of cyber intrusions”.
Gerchow commented: “To address these issues, we need greater accountability and larger sanctions on timing to enable customers to protect themselves, as well as clearer guidance on what constitutes material information. Additionally, we must find ways to better protect companies that are undergoing an incident after disclosure and are under attack.”
“The SEC has not been clear. Every industry is different, and everyone has their own set of crown jewels. It is still very ambiguous. Most folks are going off financial impact,” he added,
According to Steve Martano, Faculty at IANS Research and Partner at Artico Search, regulators are continuing to add requirements beyond financial disclosure, and cyber is just one piece of additional information that holistically makes up the health and business risk of any company.
“Due to these adjusted regulations, companies are reevaluating materiality and documentation around cyber incidents,” he said.
Martano said although many chief information security officers (CISOs) clamored that the SEC did not do enough in their 2023 ruling, they begrudgingly agree that any move leading to an increase of transparency and disclosure is a positive step.
“Most of the discontent last summer was around the SEC striking their cyber board member requirement, the optics of which was regulators viewing cyber as an operational challenge to be managed by executives rather than in the boardroom,” he said.
Martano further said that many companies over the last year developed a cross-functional plan to cyber incidents, redesigning incident response strategies which includes an assessment on materiality.
“This positive development enhances the muscle memory of an organization in the event they need to respond to a security incident while also elevating the security function and security leader,” he said.
“While we are far from an equilibrium on cyber disclosure and regulatory requirements, we are trending in the right direction,” he argued.
Scott Kannry, CEO and Co-Founder at Axio, added that management teams must gain the insights necessary to make informed and defensible decisions about their cybersecurity programs.
CISOs, in particular, must build a shield of defensibility, he said.
They need to demonstrate that they have exercised appropriate care, were well-informed, and used proper business judgment, Kannry said.
“By doing so, they can better navigate the complex and evolving regulatory landscape, safeguarding their organizations,” he added.
He believes that the regulatory and litigation landscape will continue to transform in ways we can’t fully predict.
“What is certain is that we will continue to see litigations and regulatory upheavals,” he said.
“Each cyber incident and consequent response is unique, and while the SEC may be hesitant to proceed with litigation due to this precedent in the immediate future, it’s become clear in recent months and years that regulators are indeed willing to test the bounds of such litigation,” he added.