In March 2022, the Securities and Exchange Commission (SEC) proposed a rule on cybersecurity disclosure, governance, and risk management for public companies, known as the Proposed Rule for Public Companies (PRPC). This rule would require companies to report “material” cybersecurity incidents within four days. It would also require that boards of directors have cybersecurity expertise.
Unsurprisingly, it’s being met with all sorts of pushback. In its current form, the proposed rule leaves a lot of room for interpretation, and it’s impractical in some areas.
For one, the tight disclosure window will put massive amounts of pressure on chief information security officers (CISOs) to disclose material incidents before they have all the details. Incidents can take weeks and sometimes months to understand and fully remediate. It is impossible to know the impact of a new vulnerability until ample resources are dedicated to remediation. CISOs may also end up having to disclose vulnerabilities that, with more time, end up being less of an issue and therefore not material. That, could in turn affect the short-term price of a company.
Incidents Are a Living Thing — Not a One-and-Done Deal
Four-day disclosure requirements might sound fine at face value. But they are not realistic and will ultimately distract CISOs from putting out fires.
I’ll use the European Union’s General Data Protection Regulation (GDPR) as a comparison. Under the regulation, companies must report incidents of non-compliance within 72 hours. However, In the case of GDPR, the need to report is well-defined. While 72 hours is often too soon to know the specifics of an incident’s overall impact, organizations at the very least will know if personal information has been compromised.
Compare this with the PRPC’s proposed disclosure requirements. Organizations will have an extra 24 hours, but — based on what’s been publicized thus far — they must qualify internally if the breach is material. Under GDPR, a company can do that based on the sensitivity of the data, its volume, and where it went. Under PRPC, “materiality” is defined by the SEC as anything that a “reasonable shareholder would consider important.” This could be virtually anything shareholders consider material to their business. It’s rather broad and not clearly defined.
Other Weak Definitions
Another issue is the proposal’s requirement to disclose circumstances in which a security incident was not material on its own but has become so “in aggregate.” How does this work in practice? Is an unpatched vulnerability from six months ago now in scope for disclosure (given that the company didn’t patch it) if it’s used to extend the scope of a subsequent incident? We already conflate threats, vulnerabilities, and business impact. A vulnerability that isn’t exploited isn’t material because it doesn’t create a business impact. What will you need to disclose when aggregate incidents need to be reported, and does the aggregation clause make this even harder to discern?
To make this more complicated, the proposed rule will require organizations to disclose any policy changes that resulted from previous incidents. How rigorously will this be measured and, honestly, why do it? Policies are supposed to be statements of intent — they’re not supposed to be low-level, forensic configuration guides. Updating a lower-level document (a standard) to mandate a specific encryption algorithm for sensitive data makes sense, but there are few higher-level docs that would be updated due to an incident. Examples might be requiring multifactor authentication or changing the patching service-level agreement (SLA) for in-scope critical vulnerabilities.
Lastly, the proposal says quarterly earnings reports will be the forum for disclosures. Personally, quarterly earnings calls don’t seem like the right forum to go deep on policy updates and security incidents. Who will give the updates? The CFO or CEO, who typically provides earnings reports, might not be sufficiently informed to give those critical reports. So, does the CISO now join the calls? And, if so, will they also respond to questions from financial analysts? It all seems impractical, but we’ll have to wait and see.
Questions About Board Experience
The first iteration of PRPC required disclosures about board oversight of cybersecurity risk management policies. This included disclosures about the individual board members and their respective cyber expertise. The SEC says it purposefully kept the definition broad, given the range in skill and experience particular to each board.
Luckily, after much scrutiny, they decided to remove this requirement. PRPC does still call for companies to describe the board’s process for overseeing cybersecurity risks, and management’s role in handling those risks.
This will require some adjustments in communication and general awareness. Recently, Dr. Keri Pearlson, executive director of cybersecurity at MIT Sloan, and Lucia Milică, CISO at Stanley Black & Decker, surveyed 600 board members about activities surrounding cybersecurity. They found that “fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations.” This clearly points to a communications gap.
The good news is most boards already have an audit and risk committee, which can serve as a subset of the board for this purpose. That said, it’s not uncommon for CISOs and CSOs to present matters involving cybersecurity that the rest of the board doesn’t fully understand. To close this gap, there needs to be greater alignment between the board and security executives.
Uncertainty Prevails
As with any new regulation, there are questions and uncertainties with PRPC. We’ll just have to wait and see how it all evolves and whether companies can meet the proposed requirements.