Security Leaders Weigh in on New SEC Cybersecurity Rules

The U.S. Securities and Exchange Commission, in a move much anticipated by CSOs and CISOs, will require public companies to disclose material cybersecurity incidents, in most cases within four days of discovery.

The SEC, which has been considering new data breach reporting rules for over a year, finalized the regulations on July 26, 2023, allowing the commission to levy millions of dollars in fines to companies that don’t comply.

The new rules, which will go into effect within weeks, also require public companies to disclose material information related to their cybersecurity risk management, strategy, and governance on an annual basis. The annual reporting requirements are mandated in annual reports for fiscal years ending Dec. 15, 2023, and later.

The new rules allow a delay in the four-day reporting requirement if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety.

News of the release of the cybersecurity rules was widely shared on LinkedIn, with current and former CSOs and CISOs expressing a range of opinions. Some praised the rules as a good step toward corporate transparency about cybersecurity incidents, and others suggested the SEC didn’t go far enough to hold boards of directors responsible for company cybersecurity.

Principles, not prescriptions

Jerry Perullo, a long-time CISO and a professor of practice at the Georgia Tech School of Cybersecurity and Privacy, also praised the final rules, saying the SEC revamped or removed some of the more confusing or prescriptive proposals in an earlier draft of the rules. The reporting requirements, for example, focus on material impact of a cyber incident, and not the details of the incident, as was required in an earlier draft.

“The final rule is far less prescriptive in the program elements required for disclosure, adopting a more principle-based approach that will allow a variety of approaches to satisfy the spirit of articulating a risk management approach,” he wrote on LinkedIn. “Given the fast-changing nature of adversarial threats, this should allow firms to operate adaptive programs that can quickly pivot in response to changing threats.”

Perullo noted that the commission rejected a proposal that would have required companies to disclose whether any members of their boards of directors have cybersecurity expertise as part of their annual reports. The proposed rule generated many comments, with one commenter saying that hiring cybersecurity experts as board members might come at the expense of other cybersecurity spending.

“I agree with the commission that a broader principle-based disclosure of cyber risk management processes will empower organizations to feature cyber expertise on the board when it is appropriate for that firm’s risk profile while not diminishing the credentials and risk management abilities of directors without formal cyber-specific experience,” Perullo wrote.

Board members not accountable

Some cybersecurity experts suggested the four-day requirement will create a complex reporting process for CISOs and other security leaders. The short timeframe will likely lead to restatements from companies as they collect more details about breaches, said Ken Stephens, former CISO at Beaumont Health and former director of cybersecurity operations at the U.S. Internal Revenue Service.

“Material impact can easily become apparent long before complete understanding of all the facts,” he wrote on LinkedIn.

The SEC missed the opportunity to hold boards of directors more responsible for cybersecurity, and instead put more potential blame on CISOs, when it didn’t require board cybersecurity expertise, he added.

“Not requiring information and cyber experience on the board is an invitation to criminal and civil liability down the road and a disservice to all customers, clients, patients and employees,” he wrote. The decision “loads the CSO/CISO with CEO and executive leadership baggage that will likely never see the light of day in the boardroom.”

The SEC regulations put the responsibility for incidents on CISOs, added Barbara Shurtleff, CISO at Fractionals United.

“So you thought hiring a CISO was hard before?” she wrote on LinkedIn. “Now, with today's SEC's ruling, it's like asking a captain to navigate the desert, bearing all the blame for the heat, but without a say in choosing the path.”