As cybersecurity professionals, what do you think of the SEC proposed regulations to increase transparency around cybersecurity incident reporting?
On March 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.
The proposed rules would require advisers and funds to adopt and implement policies and procedures that are designed to address cybersecurity risks. The proposed rules require advisers and funds, on an annual basis, to: (1) review and assess the design and effectiveness of their cybersecurity policies and procedures; and (2) prepare a report describing the review, explaining the results, documenting any incident that has occurred since the last report, and discussing any material changes to the policies and procedures since the last report.
Vice President B. Dunlap recently sat down for a cybersecurity roundtable with Daniel Schwalbe, CISO&VP, IT, DomainTools; Jennifer Sosa, and Director, Consult & Info Gov; Scott Giordano.
The group discussed key points within the SEC proposed rules including the four-business day deadline to disclose material cyber incidents, comparisons to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the disclose of cyber attacks and ransomware payments and more.
Scott Giordano provided an overview to the proposed SEC rules. For publicly traded companies, they would be required to disclose material incidents within four days of discovery. The definition of material was purposely broad and included both material cybersecurity incidents and risks. Businesses must decide what would be material from their perspective and from the investors perspective which even furthered broadened the scope.
Overview of reporting requirements:
If a cybersecurity incident or risk is discovered that must be disclosed within the mandated time.
Updates must be reported in periodic reports and must include previously reported cyber incidents.
Policies and procedures that are in place to protect against bad actors and cyber security breach incidents and risks must be disclosed.
Policies and procedures are in place to address an incident once it is discovered.
Any member of a company’s board who has cybersecurity expertise must be disclosed.
Immediately after the SEC proposed rules were released the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law on March 15. This federal legislation covers any entity involved in critical infrastructure. Few businesses are excluded from this law and includes similar requirements. Cyber security incidents or risks must be reported within 72 hours to CISA and report ransomware payments within 24 hours. These proposed rules from the SEC are like CIRCIA and other state requirements that have been put in place. With CIRCIA, this means that most businesses will be subject to two sets of reporting requirements.
Jennifer Sosa discussed the idea of materiality and looked at the long history of case law that included a substantial likelihood that a reasonable investor would deem an incident material; not just what cyber professionals deem important. That broadens the scope for companies and provides a baseline for what would be included should the proposed rules be enacted.
Daniel Schwalbe, having worked with a variety of companies and with experience from a business perspective in addressing cyber security incidents had the perspective that 72 hours was a short time period for a company to provide a report on a material cyber security incident. From his perspective, in that timeframe, a company won’t have a proper handle on the details or scope of the incident in that time. It takes up to 4 days just to finish imaging that that must be done when an incident is discovered and that is before a forensics investigation can even begin. This also increases the likelihood of creating a false fear of an incident should it be later discovered to be immaterial.
Giordano offered a different perspective. In the past, timeframes for reporting were 45 and 60 days and it was discovered that incidents were not being reported for months or even years. That led to these shortened timeframes and new requirements being proposed and put in place. In terms of having ability to rapidly identify what info is in scope.
Sosa pointed out that companies should be incentivized to address several of the required steps prior to an incident. The proposed guidance provides parameters on much of the info that must be disclosed and a good portion of that can be done in advance including what policies are in place to prevent an incident and what will be done to address a material incident once discovered.