The SEC's new cybersecurity disclosure rules - are you ready?

The U.S. Securities and Exchange Commission (SEC) announced new regulations for public companies requiring them to disclose a “material cybersecurity incident” via formal report due four business days after a company determines that a cybersecurity incident is material. This is creating a lot of buzz, with companies worried if they will be prepared.

But something else folks aren’t focusing on is the SEC will require companies to provide annual ongoing disclosure on their “cybersecurity risk management, strategy, and governance”. Whether or not you work in security for a public company, your customers and vendors could be affected.

Understanding recent developments

Cybersecurity regulations and requirements constantly evolve to address the ever-changing cyber threat landscape. And that’s a good thing. But with so many different regulatory bodies and frameworks to abide by, let’s unpack what the SEC is saying and why companies are concerned.

The SEC is responsible for regulating and overseeing the securities industry, including stock and options exchanges. Cybersecurity regulations issued by the SEC are purposefully designed to enhance the protection of sensitive and confidential information held by companies and financial institutions. These critical regulations aim to safeguard the integrity of financial markets and protect investors from cyber threats.

As you may expect, publicly-traded companies get worried whenever regulations change and most of them can identify with any one (or all) of these challenges and concerns:

• Compliance requirements: Companies must comply with the SEC's cybersecurity regulations, and failure to do so can result in significant fines, penalties, or legal actions. Non-compliance may also harm a company's reputation and shareholder trust.

• Cybersecurity risks: As cyber threats evolve and become more sophisticated, companies worry about their ability to adequately protect sensitive data, financial assets, and critical systems from cyberattacks and data incidents.

• Cost of implementation: Implementing robust cybersecurity measures can be costly, especially for smaller companies with limited resources. Compliance with new regulations may require investments in technology, staff training, and regular security audits.

• Reputation and investor confidence: A cybersecurity incident can lead to reputational damage and erode investor confidence. Companies understand that losing customer trust and shareholder value can have long-lasting effects.

• Potential legal liability: In a cybersecurity incident, companies may face legal liabilities and potential lawsuits from affected customers or investors, further impacting their financial stability.

• The complexity of regulation: Some companies may need help to interpret and comply with complex regulatory requirements, leading to potential mistakes and vulnerabilities.

So to address these concerns to date, companies often invest in comprehensive cybersecurity strategies, hire cybersecurity experts, conduct regular risk assessments, and implement robust security measures to safeguard their digital assets and sensitive data. Additionally, they may seek guidance from cybersecurity consultants and legal experts to ensure compliance with relevant regulations.

With this recent SEC ruling, the SEC has adopted requirements around “disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports.” These new rules will require companies to disclose via an updated 8-K form whether they determined any cybersecurity incident to be material. They also have to describe the material aspects of the incident's “nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”

This is the way

Traditionally, the steps to disclose material cybersecurity incidents and the tools and processes used can vary depending on the organization, their industry, and the nature of the event, but here are some common steps and practices you likely know all too well:

1. Detection and confirmation

   1. Detect the incident: Use monitoring tools, intrusion detection systems (IDS), intrusion prevention systems (IPS), security information and event management (SIEM) solutions, or other security mechanisms to detect potential cybersecurity incidents.

   2. Confirm the incident: Conduct a thorough investigation to validate the cybersecurity incident and assess its scope and impact.

2. Initial response

   1. Activate incident response plan: Organizations should have a well-defined incident response plan (IRP) in place. The IRP outlines the roles, responsibilities, and actions to be taken during an incident.

   2. Assemble the incident response team: Bring together a cross-functional team, including IT, security, legal, public relations, and management representatives.

3. Containment

   1. Isolate affected systems: Prevent further spread of the incident by isolating affected systems from the network to limit the attacker's lateral movement.

   2. Implement temporary fixes: Apply temporary patches or mitigations to prevent the incident from worsening.

4. Forensics and analysis

   1. Preserve evidence: Ensure the preservation of digital evidence for further analysis and potential legal proceedings.

   2. Investigate the incident: Use forensic tools and techniques to determine the cause of the incident, the entry point, and the data accessed or compromised.

5. Notification and reporting

   1. Regulatory authorities: Report the incident to relevant regulatory authorities as required by law or industry regulations.

   2. Affected parties: Notify affected individuals or customers whose data may have been compromised.

   3. Business partners and stakeholders: Inform business partners and stakeholders about the incident.

6. Remediation

   1. Remediate vulnerabilities: Address the root cause of the incident by fixing vulnerabilities and security gaps that allowed the incident to occur.

   2. Update security policies: Revise security policies and procedures to prevent similar incidents in the future.

7. Monitoring and follow-up

   1. Continuously monitor systems: Implement enhanced monitoring to identify any signs of recurring or new attacks.

   2. Learn from the incident: Conduct a post-incident review to analyze the organization's response and identify areas for improvement.

Realize that while doing this, your security team is likely still challenged with an explosion of data, alert fatigue, working with tools that weren’t built for the cloud, and ongoing personnel gaps. I bet most organizations are already working with a lean security team, and they have many requirements to fulfill. Adding to the existing mission of incident detection and response, now the team feels the crushing pressure to perform to this new SEC rigor that’s established. The level of scrutiny and burden of responsibility to the business just got cranked up to 11.

Missing the time element

Organizations have adapted their incident reporting and response processes based on their own needs and requirements, typically based on the best practices above. But take a moment to breathe all that in and appreciate all the complexity and coordination involved for success.

Now couple that with the fact that until now, there was no specific federal law in the United States that mandated a specific timeframe for publicly traded companies to report material cybersecurity incidents to the public or regulatory authorities. Well, unless you count SOX regulations that articulate a subjective timeframe of “rapid and current” in that federal regulation’s section 409.

This timeframe from the SEC is specific. But when does the clock for the SEC actually start?

What exactly is ‘materiality’?

Technically, a company could investigate indicators of attack or compromise as they determine whether something is considered material. And this is well before this new four-day clock has even started. This will test not only your governance but also your detection tools and workflows that you have put in place to determine whether a cyber incident has occurred.

The first company that gets its hand slapped for not disclosing a “material” incident will help the SEC zero in on what “material” means. And that will further define what incidents are included or in scope. Then other companies will be better aware of what that definition is, but will soon realize they will be held to this new definition.

Although not mentioned specifically by the SEC, most security folks know that fines will likely be announced shortly and will be in the millions of dollars. The SEC menu of punishments for failing to abide by their rules could be broad. So it will be interesting to see what the depth and breadth of fines will look like.

Here are just a couple examples of how tough this materiality decision might be:

• Losing or exposing secrets publicly in an open-source library (i.e., API keys): Maybe that’s material, depending on where those keys were providing programmatic access to.

• CEO laptop was lost/stolen but had a live session still logged in (i.e., SSO): Sure, that’s material, depending on how that laptop is now used. Could it impact your investors? Maybe. Will it? Maybe not.

• You detected a DDoS attack against your cloud-native retail application and the system wasn’t available for 5 minutes: Is that material? Maybe not. How about 3 days? Likely material due to the financial impact.

Who owns the math or calculation of materiality? It’s all subjective and that’s why we will need our security community to help define these issues. Even more stakeholders and shareholders will expect to be notified, including the SEC.

Gotta be a better way

Your organization needs to collect all of your security log data quickly, efficiently, and in a central area to ensure you have accurate information coming in. You also need to have all of those security detection and response capabilities mentioned above in place with a trained staff and an operable plan. And the company needs to be prepared to quickly and clearly communicate across a broad swath of non-technical stakeholders (e.g., finance, legal, board of directors, etc.) to help weigh in on the materiality question.

According to George Gerchow, CSO and SVP of IT at Sumo Logic, “Consumers are losing confidence that public companies are reporting when a breach actually occurs. The new SEC regulations are a great step forward to protect customers and the investment community.”

One of the biggest hurdles companies will need to deal with is figuring out if something is a true incident or not. What is the tipping point to say this is an actual breach, and when does it meet the mark for when we report it? This doesn’t just fall on the CSO anymore, this affects the entire working group and bottom line. Especially now with the cloud, it will be harder to discover that tipping point. Companies must implement new solutions to help remain compliant.

When simpler is faster

When it comes to cybersecurity, it all comes down to the logs. It’s the first place to go if a company suspects a cyber incident. Read our guide to log analytics to learn how it helps improve app performance and security. With your existing security tooling in place all feeding their logs to Sumo Logic’s cloud-native SaaS platform, you can quickly determine the scope and severity of an incident using our Cloud SIEM and advanced analytics.

In particular, our Entity Relationship Graph helps security analysts understand the scope of the detected threat. With built-in dashboards/reporting and automated notifications, your entire organization can quickly get the information they need to begin to determine the materiality of your cybersecurity incident.

Learn more about Sumo Logic’s capabilities so that you don’t need to worry about the latest SEC rules or any other regulations that may expand or change.