By George Gerchow, CSO and SVP of IT, Sumo Logic
Corporate security and compliance teams are scrambling to understand the implications of the U.S. Security and Exchange Commission’s (SEC) recently announced cybersecurity disclosure and reporting regulations. While the need to report ‘material cybersecurity incidents’ within four days (and the anticipated penalties for non-compliance) is a concern for many security teams already stretched to the limit, the requirements for ongoing disclosure and governance may have a bigger impact.
However, industry leaders are touting the potential benefits of the new regulations, especially for investment customers who will enjoy greater transparency and accountability regarding security breaches. And companies that employ emerging technologies and best practices to address the new SEC rules may see a boost in customer confidence and achieve other competitive advantages.
What Are the New SEC Guidelines?
The SEC is responsible for regulating the security industry, and its cybersecurity regulations are designed to ensure the protection of sensitive customer and financial data. The new rules will require companies to:
- Disclose via an updated 8-K form whether they determined any cybersecurity incident to be material. They may also be compelled to document the material aspects of the incident’s ‘nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.’
- Periodically disclose the company’s cybersecurity risk management, strategy, and governance in annual reports.
The new regulations will compel organizations to improve how they discover vulnerabilities and breaches, their reporting protocols, and their overall level of cybersecurity expertise. According to PwC, the SEC is now ‘putting the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks.’
“Many companies will focus on enhancing their cybersecurity capabilities as they plan for the new disclosure requirements.”
PwC, SEC’s New Cyber Disclosure Rule
Is Your Existing Security Infrastructure ‘SEC-Ready’?
As companies prepare for the new SEC rules, they must assess and adjust their current security priorities and initiatives to ensure they align with the new regulations. These initiatives may include:
Assessing cybersecurity risks. Organizations must constantly improve their security strategies and infrastructure in response to evolving cyber threats to protect sensitive data, financial assets, and mission-critical applications and systems.
Managing implementation and operational costs. Introducing new cybersecurity programs and operating a high-performance security infrastructure is costly, especially for smaller organizations. Meeting the new SEC guidelines may require incremental investments in technology, training, and auditing.
Minimizing non-compliance risks. Failure to comply with the new SEC regulations could result in material fines, penalties, legal actions, and damage to shareholder trust.
Understanding the regulatory complexities. As the SEC is essentially breaking new ground, many companies may need help interpreting and complying with the requirements.
Protecting reputation and investor confidence. A cybersecurity incident can damage a company’s reputation and investor confidence. The new SEC guidelines will create greater visibility into security breaches and bring into focus how quickly and effectively companies responded to an incident.
Mitigating legal exposure. Companies impacted by a cybersecurity incident may face legal action from affected customers or investors.
The Significance of Time and Materiality
Historically, organizations have adopted incident reporting and response processes based on their own needs and requirements. Aside from general SOX (Sarbanes-Oxley Act) guidelines, there were no U.S. federal laws that required specific timeframes for companies to report material cybersecurity incidents to the public or regulatory authorities.
The new SEC rules have dramatically changed the playing field by introducing the four-day incident reporting requirement. While ‘four days’ is very specific, when that count-down will actually begin has yet to be fully defined. Similarly, ‘materiality’ is also ambiguous. These ambiguities will create challenges during the early days of the regulations. Companies will need to document and execute against their definitions of time and materiality — testing not only their detection tools and workflows but their overall security governance.
Interpreting the Rules: The Stakes Will Be High
These grey areas are even more concerning, given the expectations of significant penalties for non-compliance. Security professionals predict that fines will be released shortly and may run into millions of dollars. As well, the list of non-compliance infractions may be quite comprehensive and could include issues such as:
Losing or exposing secrets publicly in an open-source library (i.e., API keys). This may or may not be deemed a material infraction, depending on what access those keys provided.
An executive laptop was lost or stolen with a live link session still logged in (e.g., SSO). This could be considered material, with an impact on investors.
You detected a DDoS attack against your cloud-native retail application, and the system wasn’t available for a short time. Is five minutes of downtime material? How about three hours or three days?
Until the regulations are interpreted and enforced over time and fines normalized, companies will need to err on the side of caution to avoid potential infractions and the resulting penalties.
The Importance of Security Logs
Security log analytics and management are critical to cybersecurity. Logs are the first things security pros examine if they suspect a cyber incident. To maximize their effectiveness, companies must quickly and efficiently capture log data in a central repository for monitoring and analysis. They also require best-in-class detection and response capabilities, a trained team, and a well-documented security operations plan. Finally, companies must commit to timely and clear communications across all technical and business stakeholders (including finance, legal, and the executive team).
Powerful new tools can simplify this process. For example, by having existing security applications feed their logs directly into cloud-native solutions, security pros can quickly determine the severity and scope of potential incidents.
Analytics and dashboarding solutions can also be used to provide reporting and automated notifications to help analysts understand the scope of detected threats and provide their organization with the information required to determine the materiality of the cybersecurity incident.
Preparing For Uncertainty
One of the biggest challenges companies now face is anticipating how the SEC regulations will play out in practice. For example, how to determine whether a potential breach is an actual incident? When does it meet the SEC reporting threshold? Running afoul of the new rules could have a material impact on the entire organization.
Due to this additional scrutiny on security breaches, we will also continue to see an evolution of the CISO or top security leader role. It will become increasingly important for CISOs to have a seat at the board table to help guide organizations’ risk management processes and incident response. Public companies will also seek out security-minded board members with cross-functional business experience to be the most impactful.
Luckily, companies with a robust infrastructure and security-focused culture throughout the organization that prioritize best practices, staff training, and AI-enabled logging and reporting capabilities should be well-positioned to weather the storm.
About the Author
As Sumo Logic’s CSO and SVP of IT, George Gerchow brings over 20 years of information technology and systems management expertise to the application of IT processes and disciplines. His background includes the security, compliance, and cloud computing disciplines. Mr. Gerchow has years of practical experience in building agile security, compliance and, IT teams in rapid development organizations. He is a Faculty Member for IANS – Institute of Applied Network Security and sits on several industry advisory boards. Mr. Gerchow is also a known philanthropist and Founder of a nonprofit corporation, XFoundation.
George can be reached online at LinkedIn and at our company website https://www.sumologic.com/