"We're becoming scapegoats": How have CISOs responded to SEC cyber risk disclosure rules?
On the anniversary of the new rules, we speak to industry experts to find out how (and if) things have changed.
It has now been exactly one year since new cyber risk disclosure rules forced listed companies in the US to detail the Board of Directors’ oversight of cyber risk and compel the disclosure of “material” cybersecurity incidents within four days.
On July 26 2023, the Securities and Exchange Commission (SEC) said it was introducing the rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies” – and emphasised that disclosures will need to be made publicly available in machine-readable inline XBRL format.
At the time, the US Chamber of Commerce warned that SEC’s “unprecedented micromanagement of companies’ cybersecurity programs" was "misguided". Find out why the rules triggered "fury" in our original coverage.
Have the rules achieved their goals and how are CISOs doing things differently? The Stack spoke to industry experts to find out.
George Gerchow, Faculty at IANS Research and Head of Trust at MongoDB, said "not much has changed".
"While organizations are trying to be more transparent, the lack of significant fines or penalties allows the same bad habits to persist," he said. "Many large corporations have experienced major incidents and failed to disclose them within the required four days of determining materiality without facing additional penalties.
"Having personally experienced two cybersecurity incidents last year, I can attest that the new rules are a priority, especially regarding disclosure timing. However, these rules also create problems, such as announcing an ongoing attack before having time to mitigate the issue. This adds complexity and increases malicious activity against an already vulnerable organization."
Gerchow said that "we need greater accountability and larger sanctions on timing to enable customers to protect themselves, as well as clearer guidance on what constitutes material information."
However, he also said that security teams and leaders are under increasing pressure and warned:
"We are becoming scapegoats. If this trend continues, you will see an even larger gap in security talent willing to put their credibility on the line, as well as facing charges by the SEC and DOJ.
"We must find ways to better protect companies that are undergoing an incident after disclosure and are under attack. We need more accountability for the organization instead of focusing on the security leaders of these companies who, in many instances, have their hands tied by execs and the board."
SolarWinds of change?
The dismissal of SEC charges against SolarWinds was "viewed as a win within the CISO community," said Steve Martano, Faculty at IANS Research and Partner at Artico Search. But you might want to pause before breaking out the party poppers.
"It is premature to think regulatory pressure and litigation against companies and individuals will desist in the future," he warned.
"Each cyber incident and consequent response is unique, and while the SEC may be hesitant to proceed with litigation due to this precedent in the immediate future, it’s become clear in recent months and years that regulators are indeed willing to test the bounds of such litigation.
"We are far from a clear understanding of what is expected of companies and security leaders in terms of breach response, but U.S. District Judge Paul Engelmayer’s ruling that company risk warnings do not require “maximum specificity” does mitigate the risk for CISOs, if only slightly.
"Although many CISOs clamoured that the SEC did not do enough in their 2023 ruling, they begrudgingly agree that any move leading to an increase in transparency and disclosure is a positive step. Most of the discontent last summer was around the SEC striking their cyber board member requirement, the optics of which was regulators viewing cyber as an operational challenge to be managed by executives rather than in the boardroom."
Martano said many companies have now developed a "cross-functional plan" for cyber incidents involving "redesigning incident response strategies that include an assessment of materiality."
"This positive development enhances the muscle memory of an organization in the event they need to respond to a security incident while also elevating the security function and security leader," he said. "While we are far from an equilibrium on cyber disclosure and regulatory requirements, we are trending in the right direction.”
Won't somebody think of the CISOs?
Scott Kannry, CEO and Co-Founder at Axio, said the SolarWinds case has not "entirely removed" concerns but "offers some relief for CISOs."
"For companies and CISOs, this raises critical questions: Do these rules still matter, and how should strategies evolve to align with shifting regulations?" he asked. "While clear answers remain elusive, one thing is certain—the regulatory and litigation landscape will continue to transform. We can anticipate more regulations, increased litigation, and potentially conflicting court decisions."
He called on organisations to ensure cybersecurity programs align with the highest-risk areas, assess the potential financial impact of cybersecurity events, evaluate how well "losses are contained within risk tolerance levels if an event occurs," and then identify cost-effective strategies to achieve these goals.
"CISOs, in particular, must build a shield of defensibility," Kannry advised. "They need to demonstrate that they have exercised appropriate care, were well-informed, and used proper business judgment. By doing so, they can better navigate the complex and evolving regulatory landscape, safeguarding their organisations.”
How has your organisation changed since the SEC rules came into force? Get in touch with [email protected] to let us know (or tell us about anything else that's affecting your work and security posture)