Companies Are Already Not Complying With The New SEC Cybersecurity Incident Disclosure Rules | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The U.S. Securities and Exchange Commission finalized new cybersecurity disclosure rules in 2023 to improve investor transparency over cybersecurity risks and the actual cybersecurity incidents impacting their investments. Disclosure requirements now span certain corporate governance and management processes and information about material cybersecurity incidents themselves.

Some well-known companies have made cybersecurity incident disclosures since the new rules went into effect on December 18. They include Microsoft, Hewlett Packard, UnitedHealth Group, Prudential Financial, apparel maker VF Corp and Loan Depot.

However, there is a problem with all of the disclosures — none of them are compliant with the new SEC cybersecurity incident disclosure rules.

Under the new disclosure rules, SEC registrants are required to make a disclosure within 4-business days once a cybersecurity incident is deemed by the company, to be material to a reasonable investor. Cybersecurity incidents include unauthorized occurrences and accidental occurrences not caused by a maliscious attack. So if a company’s information systems go down because of an internal systems failure, and the company determines that the incident is material to a reasonable investor because the company can no longer process transactions for example, they need to make a disclosure under the new rules. Similarly, if they suffer an attack and data on 35 million customers is stolen, something likely to be considered material to a reasonable investor, they also need to make an incident disclosure.

There are exceptions to the 4-day rule if the incident is determined by the U.S. Department of Justice to be in the interest of national security or public safety — a process that runs through the FBI.

Microsoft and Hewlett Packard recently disclosed that executive emails were hacked along with emails from their cybersecurity teams, legal teams, go-to-market teams and other teams. VF Corporation indicated in mid-December that data was stolen, and that management made the decision to shut down certain operating systems before the busy holiday season. Some of these operational impairments negatively impacted their ability to fulfill orders. Loan Depot disclosed that they identified unauthorized access into their systems and that some of their data was encrypted and that management also shut down certain systems to contain the risk.

With a goal for disclosures to address the need for investors to receive “timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants businesses…”, the SEC wants several things to be disclosed about these material cybersecurity incidents.

The first thing they want is a description of is the material aspects of the nature, scope and timing of the incident. Informing investors of what happened is a logical requirement of the new SEC rules and all of the disclosures made so far respond to this part of the SEC disclosure requirement with the information that a company uncovers as they launch their investigation. As the investigation proceeds, disclosure amendments are to be filed as further material information arises about the incident.

Given that each of these companies have made an incident disclosure under the new SEC rules, by definition the company has determined that the information that they have initially uncovered does rise to the level of the incident being material to a reasonable investor.

But how? This is where all of the disclosures that have been made so far are deficient and not in compliance with the new SEC disclosure rules.

The second part of the new SEC incident disclosure rules requires that in addition to the material aspects of the incident, the material impacts or reasonably likely material impacts of the incident are to be disclosed. This is a particular emphasis of the new rules.

And these impacts are expected to be determined both quantitatively and qualitatively, e.g., the incident is likely to have a $100 million negative impact on annual earnings or the incident breached proprietary communications that contain information with third-parties that will impair strategic M&A initiatives or stolen customer data will likely result in shareholder litigation and regulatory fines.

However, none of the first disclosures made under the new SEC disclosure rules includes descriptions of the material impacts or reasonably likely material impacts of the incident. However, companies by definition, must have an understanding of these, otherwise they would not have made the disclosure filing in the first place.

And notably, what all of the disclosures also have in common is that they are all based exclusively on the qualitative impacts of the incident. None of them reference any quantitative impacts, i.e., revenue loss, earnings impact, costs to remediate, share value loss.

So why are companies knowingly making a disclosure filing based upon their determination that the incident is qualitatively material, but failing to disclose what these material impacts are?

UnitedHealth Group (NYSE: UNH) disclosed on February 22, that they identified an unauthorized and suspected nation-state intrusion and that management took actions to isolate the incident, i.e., shut down some systems. A day after the hack, Moody’s said it would be “credit negative,” to the company. A press report a week after the UnitedHealth Group incident stated that there are “loss of life” implications to the incident. The hackers responsible for the incident even went public and said that they stole over 6TB of data belonging to thousands of healthcare providers, insurance providers and pharmacies. As of March 3, UNH has not made an amendment to their original disclosure with any indication of the material impacts of the incident or even new information about the materials aspects of the incident.

Given that executive emails were hacked at Microsoft, what are the material or reasonably material impacts? Have strategic plans been exposed? Have financial projections and information been compromised? Has information related to third-party discussions been compromised related to acquisition targets, product initiatives, or litigation? Something drove Microsoft to conclude that the incident was material to reasonable investors and disclose, what was it?

Each of the disclosures do contain an accountant’s style of disclosure similar to this one included in the original UnitedHealth Group 8-K, “As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” But that’s not what the SEC disclosure rules are asking for when they want the registrant to describe the incident’s “…material impact or reasonably likely material impact on the registrant…”.

And given that every disclosure has been made based exclusively upon qualitative impacts, the fact that companies do not yet know the financial costs and impacts of the incident is also not relevant. It is common that incident costs and financial implications typically lag as the incident plays out.

Are these failures to describe the material impacts, or reasonably likely material impacts of the incidents intentional? Are these filings initially a poorly executed legal compliance exercise for companies? Are companies rushing to disclose? Does it demonstrate a lack of understanding of the SEC rules? Is it a failure to understand or have an informed and deliberative process in place that identifies the far-reaching impacts of an incident?

I asked Don India, CEO of RadarFirst a data privacy and security compliance SaaS platform about the early state of these disclosures.

“Compliance with the new SEC rules presents a distinctive challenge as each registrant must determine their own processes for complying with them. Compounding this are the vaguerires with how the SEC defines materiality and the fact that this concept is being applied for the first time to cybersecurity and how the digital business system creates value for the company. These regulations will continue to evolve, much like data privacy legislation has. Originating with the Data Privacy Act of 1974 the landscape of data privacy has undergone significant transformation and now provides much clearer directives on personal data protection and breach response protocols, along with clear accountability through stiff penalties for failure to comply.”

He continued, “Three certainties emerge from this current situation. First, I think further guidance and/or regulation from the SEC can be expected, and is needed. Second, examples will be set and penalties imposed which will force all organizations into developing more structured processes on these issues. And lastly, other stakeholders, namely institutional investors will begin to pressure boards on these issues for more details on how the their IT systems create and support value for the company now that there is a regulatory baseline in place.”

The SEC wants investors to be better informed about the material details and impacts of cybersecurity incidents. So far, the SEC’s new rules are failing to deliver on that goal.


Click Here For The Original Source.

National Cyber Security