Feed your Appetite for Reduction. Meet us at booth #605 at AWS re:Invent.
It’s here — the over-discussed, 186 page, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule from the SEC.
And in turn the security community shouts loudly, “Finally a difference has been made!” “Cyber Matters!” “CISOs finally get board attention!” “Security will be taken seriously!”
This ruling isn’t about cyber security. Well it is… but it isn’t…. This ruling is intended to aid in protecting stock prices and allowing investors in public companies to make informed decisions on the price point of a stock, taking the cyber risk practices of an organization into account. It’s about aiding investors in performing due diligence on their portfolios.
The ruling only has one real requirement of a security program: Assess whether a breach has material impact, and if so, disclose that incident and its impact. There are two other new requirements related to the public filings of a company as well, but they don’t require you to do anything new technically, except disclose specifics about the organization’s cyber practices. I’ll come back to this. Let’s focus on the meat of this ruling first — “material impact” as it relates to an incident.
In legal terminology, using the term “material” means something of significance, something that degrades the core of, in this case, the business finances or strategy. The crux of many lawyers’ arguments in a case filing, getting a case dismissed, or in trial, focuses on the “materiality standard,” or in other words how is material defined. The SEC has provided some guidance in the ruling from other SEC rules and some existing case law. Their summary is as follows:
information is material if “there is a substantial likelihood that a reasonable shareholder would
consider it important” in making an investment decision, or if it would have “significantly
altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the
relevant information should be “resolved in favor of those the statute is designed to protect,”
-Top of page 15 from the SEC ruling
Here is the crux of my opinion on this ruling: The materiality standard will need to be argued in court for this rule to have teeth and develop a reasonable legal precedent that can be acted on by an average security team. A reasonable shareholder has no idea what cyber incidents may have impact, save the overtly obvious core intellectual property theft. Is a 1 hour outage of commercial services important to an investment decision? I would argue not. But a 12 hour outage? Maybe. How much revenue loss is there in 12 hours? Will that have a significant bottom line impact?
In the meantime, until we see a few cases next year, if your company is publicly traded, take the following steps:
Back to the other requirements. Here is a simple breakdown of what a publicly traded company has to do moving forward.
Starting 30 days from the ruling (mid-August) organizations must disclose any material cybersecurity incident.
Starting with annual public reports after December 15th, you must describe your cyber program, previous incidents, and cyber expertise on your board.
Requires foreign private issues to follow similar standards to S-K Item 106.
This isn’t a huge change for most security teams. You’re likely already doing audits, you’re already answering and performing third party risk assessments, you likely already are performing incident disclosure under other regulations, such as NY state’s DFS rules.
Spend an afternoon with your legal counsel and finance teams. Update your reporting standards. And lastly, template out your program to make your yearly filing easier.
In reality, the biggest change for a business will be the CISO now participating in the annual SEC required reporting, and occasionally there may be an incident that meets the material standard and will require filing another form as well.