As enterprises continue to weigh which security incidents constitute something material enough to be reported under the new SEC rules, CISOs face the challenge of deciding what details to report and, far more critically, which ones to omit.
“This [SEC] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction,” says Merritt Maxim, a Forrester VP and research director. “You know you’ve been compromised, but you don’t have all the facts on day one.”
In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the Securities and Exchange Commission.
Although the new SEC rules take effect Dec. 18, there are already disclosures from three enterprises that CISOs can look at to get an idea of how to comply with the new rules: Caesars, MGM, and two filings from Clorox.
Since the filings deal with very different incidents, it makes sense that the information contained are also very different. However, the filings are consistent in that they focus on what is known and avoid speculations and predictions. The filings also do not share any details that are likely to change.
There are three competing objectives that CISOs are simultaneously juggling:
- Report as much as you can. Legally, the goal is to share as much information as possible with investors and potential investors.
- Report as little as you can. From a cybersecurity perspective, the goal is to tell potential attackers as little about your threat landscape and your defenses as possible, especially when the attack has not yet been fully contained.
- Report only what you are confident about. Most initial details are wrong, and reports are repeatedly updated as the days, weeks, and months go by. That raises a thorny question: Is the enterprise obligated to disclose information that they consider to be — initially, at least — of very low reliability?
“Only report what you know by 80-90% certainty,” says Dirk Hodgson, CISO of NTT Australia. “A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment.”
Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It’s one thing to conclude that the incident is material, he says, but selecting which specifics details are relevant and meaningful for the investing public is quite different.
“Most enterprises have no idea what impact cyber operations will eventually have on their businesses,” Brush says.
Phil Neray, vice president of cyber defense strategy for Gem Security, says that Clorox’s SEC filings illustrate this “report what you are confident about” point well. He says they “properly walked a fine line between saying what they knew and making basic estimates about how long it would take to restore operations.”
Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of Sailpoint. “Keep it at a super summary level,” he says. “Things that are tangible and measurable: which operations were interrupted, which systems were compromised. Talk about observed impact and not causation. And say that ‘we will continue to investigate with outside entities.'”
What You Don’t Have to Say
Another important element is whether the information is truly going to be of any actionable value to shareholders and potential investors. The value of revealing a specific vulnerability needs to be balanced against the potential of providing attackers with more information they can use against you, Booth advises.
CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, there was more information available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. That’s the kind of detail you can’t keep a secret, even if you want to.
While it makes sense to report only confirmed things, that advice may not necessarily always be the right call. “On the one hand, you do have to make a judgment on the material of the information,” says Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte. “But your obligation is to disclose.”
CISOs should separate what happened from what the organization is going to do about it, Adib says. “There is no requirement to go out and discuss remediation,” he adds.
Higher Profile for Breaches
From a practical perspective, nothing has changed regarding what has to be reported, as the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing — within four days — and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front-and-center with every board of directors and, therefore, with every CEO and CFO.
“This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K,” Booth says.
CISOs should also bring corporate counsel or outside legal advisors into the disclosure discussions and decisions, says Accel’s Brush. This action both brings necessary legal advice into the discussion and protects the conversations from being legally discoverable due to attorney-client privilege.
“The CISO’s communications with the inside security team is all potentially discoverable,” Brush says. With a lawyer present and thus protected, he adds, “As you are preparing your final statement, you can have open and frank discussions.”