For almost two decades the United States military abided by the mantra of “don’t ask, don’t tell,” referring to its official policy on non-heterosexual service people. The policy, instituted during the Clinton administration under a directive of the Department of Defense and repealed in 2011, was supposed to end discrimination against LBGTQT individuals. Silence and secrets were the key elements.
Unfortunately, that same veil of secrecy has been a pillar of most large enterprise corporations and mid-sized organizations when it came to their cybersecurity disclosures. That “don’t ask, don’t tell” mentality characterized some of the most publicized data breaches in the business world like Equifax. One of the biggest hacks in history, the Equifax data breach that happened in 2017, remained undetected and hidden for almost three months. The company spent USD 1.4 billion in recovery after this data breach.
That all changed as of July 26 when the U.S. Securities & Exchange Commission (SEC) released a new rule aimed to increase consistency of how and when material cybersecurity information is disclosed to investors and the public. With this new rule, publicly traded companies may be required to disclose cybersecurity incidents within as little as four business days. It also sets out new requirements for annual reporting to the SEC on cybersecurity preparedness.
While these rules apply directly to public companies in the United States, we can expect to see a trickle-down effect in the level of preparedness and urgency that is expected from companies responding to cybersecurity incidents.
The issue many corporate executive boards have faced was the dilemma of full disclosure at the expense of brand and reputation destruction or getting ahead of bad publicity and hopefully saving face and stock prices.
“Consumers are losing confidence that public companies are not reporting when a breach occurs. These new SEC cybersecurity regulations, this is going to change how companies do business and will require a lot of people to prepare for it. The new regulations are a great step forward to protect customers and the investment community,” George Gerchow, the CSO and SVP of IT at Sumo Logic tells STE.
Gerchow adds: “Most companies are not prepared to report an incident in the required four days. One of the biggest hurdles companies will need to deal with is actually figuring out if something is a true incident or not. What is the tipping point to say this is a breach or not, and when does it meet the mark for when we report it? This doesn’t just fall on the CSO anymore, this affects the entire working group and bottom line. Especially now in the cloud, it will be harder to discover that tipping point. Companies must implement new solutions to help remain compliant.”
Jeffrey Wheatman, an SVP and Cyber Risk Evangelist at Black Kite, says that with the SEC ruling on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure that was just finalized, public companies will need to get a head start making these practices part of their strategy now before the deadline (30-days following the publication of the adopting release in the Federal Register).
With this ruling, companies will have to notify the SEC of cybersecurity incidents that have a material impact on business operations four days after they declare it material and will be held accountable to disclose cybersecurity risk management, strategy and governance in their annual filings. This is a challenging process in which there are no current requirements or standards to follow today.
Jake Seid, a founding partner at Ballistic Ventures concludes that this ruling is going to fundamentally transform the Board of directors of many companies.
“In a similar way to how Boards have brought in deep financial experts as Audit Committee Chairs, public company boards will now need to bring in experts with deep cybersecurity expertise. Just as financial experts on audit committees provide oversight and checks and balances on financial risk, cyber risk is now shoulder to shoulder with financial risk and needs the same level of expertise on the board to provide proper oversight," Seid says.
So why is this ruling a cybersecurity game-changer? In some cases, companies will have to disclose significant hacks involving not only technology they own but also systems of third-party vendors if the breach is material. Along with staying vigilant toward security threats within your company, you also need to practice cybersecurity risk management when working with contractors, partners, or vendors.
As companies start to prepare for the SEC cybersecurity rule, multiple departments outside of financial reporting will also be affected. This includes audit and risk teams, who will need to consider ways to stay ahead of risk and implement a cybersecurity risk management program. Cybersecurity and cyber hygiene are now a corporate team sport.