Understanding SEC Cyber Disclosure Rules and CISO Liability

The SEC’s proposed cybersecurity disclosure rule, known as the Proposed Rule for Public Companies (PRPC), has ushered in a wave of concerns and challenges, particularly for CISOs. The rule mandates that companies report material cybersecurity incidents within four days. This tight timeline raises questions about the rules’ practicality and potential impact on CISOs’ liability. 

SEC Cybersecurity Rule Effective Date

Publicly traded companies on U.S. stock exchanges must adhere to the cyber risk management and material incident reporting guidelines, commencing in mid-December 2023 (or Spring 2024 for qualifying small companies). 

CISOs in the Spotlight

It’s important to remember that cybersecurity incidents can be complex and take weeks, or even months, to comprehend and remediate fully. Instantaneously determining the implications of a security breach is often an impossible task. 

The strict four-day disclosure window places enormous pressure on CISOs to report incidents before they can understand the situation. CISOs might find themselves in situations where they must disclose vulnerabilities that, given more time, are less significant. Such premature disclosures can have far-reaching effects on a publicly traded company.

The Evolving Role of CISOs in Response to Cybersecurity Regulations

The role of a CISO is becoming increasingly critical. In a well-established security program, the CISO is progressively building relationships and communication channels with the CEO and board. This relationship gains importance with the introduction of regulatory requirements like the new SEC cyber rule.

The new regulations place more responsibilities on CISOs in terms of guidance and requirements to track. A growing trend toward transparency has become evident, a factor CISOs must consider and integrate into their organizations.

There are repercussions to the rising pressure faced by CISOs. The terms “CISO Carousel” or “The Great Resignation of 2023” refer to the high turnover rate of Chief Information Security Officers (CISOs) in organizations. It is a phenomenon where CISOs have relatively short average tenures, typically ranging from 18 to 24 months. This rapid churn of CISOs has become a notable issue in cybersecurity.

Addressing CISO Concerns

According to ProofPoint’s annual Voice of the CISO report, 62% of CISOs were already concerned about potential liability concerning incident response and corporate governance issues. With the added responsibilities under the SEC rules, CISOs might naturally feel increased anxiety.

However, there’s room for optimism. Some of the new regulations can ease the concerns of CISOs rather than exacerbate them. For example, the SEC rule provides specific guidance on when a material cybersecurity incident must be reported, bringing much-needed clarity to a previously unclear process.

Clarity plays a crucial role in holding organizations accountable for accurate cybersecurity reporting. Many organizations shy away from complete transparency, especially if reporting requirements lack specificity. Legal and PR teams often advise against disclosure when faced with vague reporting guidelines, which can create discomfort for CISOs. The new SEC rule provides more straightforward instructions in such situations, offering hope that further clarity will follow suit.

Recommendations for CISOs in Light of Cybersecurity Regulations

Here is some advice for CISOs concerned with liabilities for security disclosures and how to prepare for the SEC Cybersecurity Disclosure Rule:

• Identify Key Stakeholders:
  • Begin by identifying the key stakeholders within your organization who play a critical role in meeting the new SEC cyber requirements. This typically includes members of the board, legal counsel (both internal and external), members of the executive team, and individuals in cybersecurity and technology roles throughout the company. Engage these stakeholders early to ensure a coordinated approach to compliance.

• Define “Material” Impact:

It’s crucial to have a clear and agreed-upon definition of what constitutes a “material” impact in the context of a cyber incident. Avoid situations where the organization is in the midst of an incident, and there is disagreement about whether the impact is material. This clarity will facilitate a more effective response.

• Unravel Complex Definitions:

Examine the PRPC’s proposal to disclose incidents that become “material in aggregate.” Understand the practical implications of this requirement. Does it mean that an unpatched vulnerability from the past can trigger disclosure if it contributes to a subsequent incident? Address the challenges arising from the conflation of threats, vulnerabilities, and business impact. Determine what needs to be disclosed when dealing with aggregate incidents.

• Review and Strengthen Your Cyber Risk Management Program:

Ensure that your cybersecurity risk management program adheres to best practices and is robust. This should encompass thorough third-party risk management, identification of critical vulnerabilities, and proactive risk mitigation based on your findings. Regularly review and enhance your program to keep pace with evolving threats.

• Prepare an Incident Detection and Response Plan:

Work with relevant stakeholders to prepare a comprehensive incident detection and response plan. Consider potential scenarios that may require notifications and disclosures. Strive to strike a balance between meeting disclosure requirements and protecting the organization from potential liability or future security incidents caused by over-disclosure. Having a well-defined plan in place will help your organization respond more effectively and maintain transparency in the face of scrutiny.

• Expand Board Cybersecurity Expertise:

To effectively address the new standards and challenges, consider adding cybersecurity expertise to your board. This can be in the form of a dedicated cybersecurity expert or technology expert. Having an independent voice that can provide on-demand support for expanding the board’s cybersecurity knowledge is a wise and timely move.

• Understand SEC and Investor Expectations:

Ensure that both the board and executive team have a clear understanding of the new SEC cyber regulations and the expectations of the investor community. This understanding is crucial for aligning governance practices with regulatory standards.

• Stay Informed About Cyber Trends:

Boards must stay informed about the latest trends and emerging cyber risk factors. This awareness helps boards fulfill their oversight responsibilities effectively and make informed decisions about cybersecurity investments and risk mitigation.

• Engage Cyber Experts:

Consider seeking external experts to support the board’s cyber risk oversight responsibilities. Expert insights and guidance can enhance the board’s ability to address complex cybersecurity issues.

• Prepare to Ask the Right Questions:

Boards should be prepared to ask management the right questions regarding business strategy, financial planning, and capital allocations in the cyber area. This proactive approach ensures that cybersecurity is an integral part of decision-making processes.

• Review Board Materials:

Regularly review materials and presentations provided to the board to ensure proper documents are in place. Having access to accurate and up-to-date information is critical for informed decision-making.

• Prioritize Safety in Technology:

Ensure that safety in technology is a key driver in addition to cost, capability, performance, and speed to market. Cybersecurity should be integrated into technology decisions to mitigate risks effectively.

• Emphasize Effective Communication:

Effective communication is fundamental to achieving positive outcomes in business. CEOs are pivotal in creating an organizational culture that effectively addresses cyber risk. Simplify technical discussions loaded with security jargon into understandable financial exposure analyses that highlight the potential financial impact of cyberattacks. This approach ensures that the entire organization, including people and processes, understands cyber risk.

How Regulations Impacting CISOs and how they are navigating these challenges.

1. The Scapegoat Effect

One significant impact of disclosure regulations is the potential for CISOs to become scapegoats for security incidents. Whether it’s an internal breach or external cyber issues, CISOs are increasingly at risk of being blamed, even when diligently working to address complex cybersecurity concerns. In this environment, CISOs find themselves in a precarious position, and their roles have become more challenging than ever before.

2. Scrutiny by Regulatory Authorities

CISOs can also be held accountable by regulatory authorities for both their actions before and after a security breach. For instance, the Securities and Exchange Commission (SEC) has closely scrutinized CISOs’ roles in addressing cybersecurity incidents. 

3. Lack of Board Support

Despite the growing importance of cybersecurity, board recognition of CISOs’ roles and the resources they require remains a challenge. Some CISOs may not receive the support and resources they need to implement essential cybersecurity controls. This lack of support can lead to their frustration and, ultimately, their decision to seek employment elsewhere.

4. Impact of CISO Churn

High turnover rates among CISOs can negatively affect organizations’ cybersecurity postures. New CISOs often need time to understand the business and may bring different approaches to security. This can result in a lack of continuity in security initiatives, exposing organizations to vulnerabilities.

The Way Forward: Better Communication

The key to addressing the challenges CISOs face in the era of disclosure regulations lies in better communication. Boards must foster respect, responsiveness, and support for CISOs, moving beyond merely offering competitive compensation. CISOs, in turn, should improve their communication skills, translating complex cybersecurity imperatives into business-relevant language. Achieving a balance between business priorities and cybersecurity needs is crucial for success.

As with any new regulation, uncertainty looms. The true impact of the PRPC and ability to meet proposed requirements remain uncertain. The evolving landscape of cybersecurity regulations will undoubtedly pose challenges for CISOs, but it also presents an opportunity for collaboration and improved communication across organizations. Only time will tell how this story unfolds.