Your company took a hit. You had a cyber “incident” or perhaps a “breach” or maybe you had “financial exposure.” These are terms the Securities and Exchange Commission (SEC) uses in its latest guidance to public companies on being more forthright when they’ve experienced “material events” (as in the potentially compromising kind).
This means reporting such events on forms 10-K and 10-Q and in SEC registration statements – it also means notifying investors about them. The SEC is also pushing forward the involvement of company directors and officers in cybersecurity, so they are more informed about incidents and risks. Of course, in the face of the 2017 Equifax breach, the SEC’s guidance also establishes and clarifies expectations of enhancement to existing procedures designed to guard against directors and officers trading on inside information about incidents.
Harmonization versus blurred lines on terms, timing and thresholds
The SEC’s guidance adds to the patchwork of privacy and security regulatory expectations both in the U.S. and around the world, including 48 states’ regulations, the Health Insurance Portability and Accountability Act, the financial regulatory expectations of the Gramm-Leach-Bliley Act, the New York Department of Financial Services (NYDFS) cybersecurity regulation, the EU’s General Data Protection Regulation (GDPR) and beyond.
It’s not surprising that every time there is a new expectation around incident reporting, I get calls from friends across the security industry asking:
Will the regulators harmonize their expectations?
Can regulators come together with one common definition of an incident?
What about a singular timeframe to report or one government agency to report to?
Wouldn’t it be helpful if there was one clear set of information needed in this reporting?
Having walked a mile in the regulators’ shoes and worked with numerous financial institutions, I agree that we need to strive for regulatory alignment. Because a variety of regulators have essential missions supported by a variety of legal authorities, it is no wonder that there are differences across their expectations. Through its guidance, the SEC is doing what it can, under its authority, to push for additional security involvement by public companies’ senior officials and directors while also ensuring transparency to investors.
While the commission’s guidance does not provide a specific time frame for when incidents should be reported, it doesn't directly conflict with existing requirements (such as those of the NYDFS, GDPR, Committee on Payments and Market Infrastructures, International Organization of Securities Commissions, etc.).
Best way forward: Well-defined, documented incident response procedures
Because the SEC, based on its mission and supporting authority, is focused on materiality, the timeliness to report an event rests on a company’s ability to quickly assess the potential impact and the company’s risk exposure&emdash;both of which are critical to determining if the event will rise to the threshold level of being “material” and warrant reporting.
Historically, most events have not risen to this threshold. This might not continue to be the case, however, based on the growing sophistication of and increasing number of threats by nation states and organized criminals. That’s why public companies that don’t already have updated, clear, well-tested and documented processes that include the capabilities below must put them in place quickly:
Assess immediate and longer-term potential risks
Escalate findings to officers and directors
Implement appropriate reporting procedures
Advise insiders of trading controls
Companies must also conduct real-world analysis through red-teaming (advanced adversary simulations) and scenario analysis to better understand their business risk exposures. This will help them determine how to draw the lines of materiality and comply with the SEC’s guidance when incidents arise.
Finally, shareholders should use this opportunity to learn more about how their investments are protected by reviewing the companies’ public reports to understand how they are managing the changing cybersecurity risk landscape.
Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals and readers should seek advice specific to their organization’s needs, which may vary and require unique action.