As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission’s (SEC) new rules, CISOs face the challenge of deciding which details to report and, far more critically, which ones to omit.
“This [SEC] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction,” says Merritt Maxim, a Forrester VP and research director. “You know you’ve been compromised, but you don’t have all the facts on day one.”
In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the SEC.
Although the new SEC rules take effect Dec. 18, CISOs can already look at the disclosures from three enterprises — Caesars, MGM, and two filings from Clorox — to get an idea of how to comply.:
Since the filings deal with very different incidents, it makes sense that the details contained are also very different. However, the filings are consistent in that they focus on what is known and avoid speculations and predictions. The filings do not share any details that are likely to change either.
Competing Obligations
CISOs are simultaneously juggling three competing objectives:
“Only report what you know by 80% to 90% certainty,” says Dirk Hodgson, CISO of NTT Australia. “A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment.”
Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It’s one thing to conclude that the incident is material, he says, but selecting which specific details are relevant and meaningful for the investing public is quite different.
“Most enterprises have no idea what impact cyber operations will eventually have on their businesses,” Brush says.
Clorox’s SEC filings illustrate the “report what you are confident about” point well, says Phil Neray, vice president of cyber defense strategy at Gem Security. The organization “properly walked a fine line between saying what they knew and making basic estimates about how long it would take to restore operations,” he says.
Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of SailPoint.
“Keep it at a super summary level [to] things that are tangible and measurable: which operations were interrupted, which systems were compromised,” he says. “Talk about observed impact and not causation. And say that ‘we will continue to investigate with outside entities.'”
What You Don’t Have to Say
Another important element is whether the information is truly going to be of any actionable value to shareholders and potential investors. The value of revealing a specific vulnerability needs to be balanced with the potential of providing attackers with more information that they can use against you, Booth advises.
CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, more information was available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. That’s the kind of detail you can’t keep secret, even if you want to.
While it makes sense to report only confirmed details, that advice may not necessarily always be the right call. “On the one hand, you do have to make a judgment on the material of the information,” says Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte. “But your obligation is to disclose.”
CISOs should separate what happened from what the organization is going to do about it, Adib says. “There is no requirement to go out and discuss remediation,” he adds.
Higher Profile for Breaches
From a practical perspective, nothing has changed regarding what has to be reported; the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing — within four days — and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front and center with every board of directors and, therefore, with every CEO and CFO.
“This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K,” Booth says.
CISOs should also bring corporate counsel or outside legal advisers into the disclosure discussions and decisions, says Accel’s Brush. This action brings necessary legal advice into the discussion and protects the conversations from being legally discoverable due to attorney-client privilege.
“The CISO’s communications with the inside security team are all potentially discoverable,” Brush says. With a lawyer present and thus protected, he adds, “As you are preparing your final statement, you can have open and frank discussions.”