The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
Insights from the Experts: Legal, Compliance, and Security Perspectives on SEC Regulations
In July 2023, the U.S. Securities and Exchange Commission (SEC) announced new cybersecurity rules that require publicly traded companies in the U.S. to disclose material cybersecurity incidents within four business days of determining whether the incident is material to the company’s financial performance.
SecurityScorecard recently hosted a webinar discussing the implications of the new rules and how compliance, security, and legal experts can elevate their game to meet these new regulations. The webinar was moderated by SecurityScorecard’s General Counsel Owen Denby, and included our CISO, Steve Cobb; Global Risk Officer, Chris Strand; and Baker Donelson shareholder Justin Daniels.
Exploring the SEC rules
The SEC’s new rules essentially govern two main topics:
- The disclosure of cybersecurity breaches or incidents. So in other words, when are cybersecurity incidents material enough in the legal sense such that they must be disclosed publicly to the SEC and to your investors?
- The annual disclosures of a public company’s cyber risk management and governance program. So essentially, what are you doing to sort of safeguard against threat actors and how are you protecting your company against cyber risk?
Third-party breaches affect the entire supply chain
Even if an organization has a robust cybersecurity posture, attackers are going through its vendors and partners if they can’t access the organization directly. This has been underscored in the last few years, with several high-profile data breaches attributed to SolarWinds, Log4j, and MOVEit.
SecurityScorecard’s recent 2024 SecurityScorecard S&P 500 Cyber Threat Report sought to analyze the cybersecurity of the largest publicly traded companies in the U.S. One key finding was that 21% of S&P 500 companies reportedly experienced breaches in 2023. Many breaches affecting S&P 500 members occurred via third parties, rather than at the companies themselves. These vendors often provide software or other IT products and services.
Industry nuances play a key role in shaping the threat landscape. As highlighted in the recent Global Third-Party Cybersecurity Breach Report, the healthcare sector is a notable hotspot for third-party breaches, followed closely by financial services. The primary reason for these vulnerabilities is that they have more numerous, diverse, and specialized third-party relationships that enable third-party breaches.
The impact on private companies
As mentioned above, data breaches in the digital supply chain are happening with increasing frequency. Against this backdrop, the SEC’s regulations are meant to encourage greater collaboration not only in the public arena, but in the private sector as well. Even though the SEC’s rules are aimed directly at public companies, private companies are also affected by the scope of the rules. Justin Daniels says this is by design. His reasoning? “These days, companies and their IT networks are like Lego blocks, and we’re all connected.”
As a result, public companies need to be aware that if one of their private vendors has a breach, it will impact: its data, reputation, and more. For this reason, public companies need to be prepared to determine how a breach in a private company materially impacts their organization. Now, privately held companies need to achieve a sufficient level of collaboration with publicly traded companies so they can meet their regulatory requirements.
It’s not just a public company issue. If you supply anything along the supply chain to a public company, these rules will flow down to you. And if you’re not paying close attention, that spells a lot of trouble for you and for your obligations to all of your customers.
The point of the SEC rules is to address the threat in the supply chain. And because of the interconnectedness of the digital landscape (both public and private), all companies must do their due diligence. For instance, public companies may now insist on accessing more information when sending out security questionnaires and other forms to the private companies they do business with.
Additionally, public companies may wish to completely take over a vendor’s breach response in order to make their materiality analysis. Revealing certain pieces of sensitive information has the potential to put a private company in breach with their other vendors. Therefore, companies need to reach a mutually beneficial level of collaboration so that public companies can meet their SEC requirements, while private companies can still protect their cybersecurity reputations. If this sounds daunting, it’s by design: “In cybersecurity, scaring is caring,” says Mr. Daniels.
“In cybersecurity, scaring is caring.” -Justin Daniels
The value of NIST FIPS 199 framework
The SEC cyber regulation means that public companies must have in place a methodology to evaluate if the cyber event is or is not a material one. The regulation calls for making this determination without undue delay, and being in constant communication with all affected parties. That means planning for and executing a documented materiality analysis needs to be in place long before an incident happens.
The panel agreed on the effectiveness of the long-standing National Institute of Standards and Technology (NIST) framework, NIST FIPS 199. First established in 2004, the purpose of NIST FIPS 199 was to create a framework for federal agencies to categorize all information and information systems they maintain to provide appropriate levels of security based on the risk level. FIPS 199 can be repurposed to provide a framework that public companies can use to document a process to determine whether a cyber incident is or is not material.
Insights from the experts
From a legal, compliance, and security perspective, our panel had some expert advice for practitioners when trying to meet new cybersecurity regulations and standards.
Insights from the CISO
CISO Steve Cobb suggests the following:
Find a tool, a vendor, and a team that can provide you with a compliance framework; something like SecurityScorecard that can match your inventory to a compliance framework, which is a great start. It also allows you to look historically at how you’re getting better, which you can show to auditors or a board and say, “We’re doing something, right…we’re making progress and our program is getting better.
Insights from the compliance expert
To make your life easier, Chris Strand suggests the following:
Companies should look at the four main aspects that are reviewed during the security assessment/audit.
- Start at the top with the pre-gap analysis and ask yourself these questions:
Do I have a baseline inventory of my enterprise security stack with adequate control and visibility of its data flows, integrations, and vulnerabilities.? Do I have an operational and/or security policy to measure my enterprise maturity against? Do I even have any security certifications to empower the validity of my enterprise posture? This is all the type of information that an auditor would want to look at.
- Analyze the security gaps. This is where the materiality question comes in and often can help enrich the materiality calculation. If you know where your vulnerabilities are, do you understand how risky they are? Are you required to understand and demonstrate their telemetry and relationship to the rest of your security stack across your enterprise, and if so, can you point to the evidence-based-data that will prove the way that you have ranked them?
- Establish a plan of action for a cyber incident. Conduct tabletop exercises such as integrity checks and penetration testing that can provide evidence of enterprise preparedness as well as fortification proof of your security policy. From there, be prepared to show auditors the remediation and mitigation steps you plan to take.
- Have a formal risk assessment in place that will help to rank your infrastructure and identify the troubled or risk prone areas.
Insights from the legal expert
According to Mr. Daniels, it’s all about the documentation.
Reporting to the SEC, and doing business with multiple kinds of companies, requires providing appropriate cybersecurity documentation. Modern businesses are relying on this documentation before they decide to close a deal. And if you don’t have it, at best, that deal is getting delayed. At worst, you lose the deal.
Collaboration and the future of cybersecurity
Many industries — such as telecommunications, healthcare, financial services, energy, and technology — are interconnected, resulting in a complex matrix of risk interdependencies that policymakers and business executives around the world are attempting to address with laws, policies, and risk management strategies. At an organizational level, security, compliance, and legal experts must come together to boost their companies’ cybersecurity and increase cyber resilience across the digital supply chain.