Shostack + Friends Blog

 

SEC Cybersecurity Rules

The SEC has important new cybersecurity rules A Board meeting

Last week, the SEC issued new cybersecurity guidance. It includes a requirement to disclose material breaches within four days, and does not, contrary to drafts, require boards to disclose their cyber expertise.

Fifteen years ago, Andrew Stewart and I published The New School of Information Security, in which we called for greater disclosure of cyber incidents and learning more from them. At the time, it was a controversial position, and I’m glad to see it broadly coming to pass in the United States. There will certainly be companies who continue to sweep their issues under the rug, mis-lead their shareholders, and are punished not for the breach, but for the cover-up. The SEC has nice whistleblower rewards.

Some of the things I note in reviewing the 186(!) page final rule:

  • “[W]e are streamlining Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.” (Page 29) I find this balancing unfortunate, but it’s may be inline with what the SEC is able to do today. Investors have access to sophisticated advice, and can use details regarding the incident to better assess the firm’s investments in cybersecurity. More on this below.
  • “[W]e consider prompt reporting of material cybersecurity incidents to investors critical to investor protection and well-functioning, orderly, and efficient markets.” (Page 45) This is a new, and, as they discuss, different basis for disclosure than other laws.
  • “[A] large number of commenters expressed concern about the aggregation requirement, saying, for example, that companies experience too many events to realistically communicate internally upward to senior management, and that retaining and analyzing data on past events would be too costly.” (Page 49) Both parts of this, frankly, are fascinating positions to take. If either a company is experiencing too many events to communicate to management about, or if management doesn’t want to hear about them, how is that not of interest to investors? And if organizations fail to retain or analyze data on past events, how are they learning or improving?
  • The “interesting” parts of the rule ends around page 80, moving to technical matters like foreign issuers and structured information in submissions.

Overall, the final rule clearly demonstrates thoughtful engagement with the comments. I don’t love every decision they made, but maybe the fix for that ought to have been me writing a comment in response to the draft rules.

Some other people have published worthwhile commentary, including a webinar, SEC Finalizes Cyber Disclosure Rules (Jake Williams, Anand Singh, George Gerchow, IANS customer-only). They point out that the SEC’s attempt to avoid requiring details isn’t going to work, because your customers are going to demand those details from you, and if you’re a public company, scale will require you to publish them. Here, I think the SEC got the answers wrong, and they did so giving overly much attention to the idea that attackers need roadmaps. It seems pretty clear to me that they don’t. I want to renew the request to CISA to clarify that we made in the Threat Modeling Manifesto group’s letter to CISA.

Looking to the future, I think there’s a fascinating question of the relationship between a breach and controls. If a company is breached, and fails to detect it for more than 180 days, how can the officers of the company be confident in their financial results?

Thanks to David Mortman for the nudge, and Midjourney: “A Wes Anderson style board meeting”