September 5th marked the beginning of the mandate for publicly traded companies to notify the SEC of a cyberattack within four days of a material cybersecurity incident.
However, according to George Gerchow, IANS Faculty and CSO and SVP of IT, Sumo Logic, the more important date is December 15th, when companies are required to notify investors.
The reality is that the majority of companies are heading into this mandate unprepared, while the responsibility falls on the CISO, he said.
“There are still way too many unknowns at this time. We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous,” he added.
Furthermore, there is very little guidance on how companies should handle third-party attacks, he said.
“Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident,” Gerchow said.
According to Gerchow, there are three major unanswered questions: What is the impact on your company?; How do you handle a four-day disclosure timeline, especially if a third-party is involved?; and What are the penalties of failing to meet the reporting deadline?
“With all the unknowns and ambiguity, all eyes will be on December 15—and the hope is that by then, we’ll have more information on penalties and more,” he said.
Scott Kannry, CEO and Co-Founder, Axio, agreed, saying that for most public companies, the first deadlines are December 15th and 18th, so the time to get ready is now.
According to Kannry, there are two sides to the rule.
The disclosure side speaks to having better disclosure as to how the company (more specifically, Board of Directors/Management) is governing and overseeing the cybersecurity program, he said. “Companies have to be more forthright about the methodologies and frameworks they are using to manage cybersecurity,” he said.
The other side speaks to how to determine if a cyber incident is material to investors in the company, Kannry said, adding this is, whether a cyber event negatively impacts an investor’s investment in the company.
“To ensure that your company is prepared on the disclosure side, you must quickly evaluate the methodologies in place that govern cybersecurity from a board level standpoint,” he commented.
“If it’s a hodgepodge of spreadsheets and new consultants every year, you aren’t going to have consistency. I often draw the analogy to financial management reporting where it’s important to have a trusted and consistent methodology, and capabilities in place to support the utilization of that methodology,” he said.
“For example, do you have the cybersecurity equivalent of an FP&A platform? If the answer is yes, you have the underpinnings to meet the requirement,” he added.
On the materiality side, it’s the same logic from a different perspective, according to Kannry.
“How would you define if an incident is material as it relates to investor materiality? How does that relate to the way that you define other risks from a materiality standpoint? For all other areas of risk that might find their way into a company’s enterprise risk management program, that’s typically defined in dollars and cents,” he said.
“We need to do the same thing in cyber and to do so we can use cyber risk quantification. If you currently define cyber event materiality as the percentage of endpoints impacted, can you effectively translate that into operational impact and potential financial impact on the business? If the answer is no, your company is not ready to meet the requirement,” he concluded.
