SEC Cyber Security Rules - More Than Regulations and Transparency

SEC Cyber Security Rules - More Than Regulations and Transparency

SEC Adoption of Cyber Security Rules – the Bigger Picture and Their Significance

It was hard to miss the SEC’s passing of the first of three proposed Cyber Rule (File Number S7-09-22) last week. A lot has been written about the specifics but very little has been written about the bigger picture, its impact on senior leadership, and the long-term significance.

To quote Niels Bohr in the movie “Oppenheimer.”

"The important thing isn't can you read the music, it's can you hear it."

While this article focuses on the bigger picture, along with the significance to senior leadership and to national security the mechanics are important. Additional reading and a list of resources is provided at the end to help you with the implementation.

The passing of this rule is one piece of a much larger mosaic.

The National Cyber Security Strategy released by the Office of the National Cyber Director, The White House "Cyber Czar" in March 2023 is all about Responsibility and Regulation. It is also about fostering tighter public/ private partnerships. The cyber rule recently passed by the SEC is an example of that strategy. This strategy can also be seen in the recently released National Cyber Security Strategy Implementation Plan along with actions from US Congress , the Federal Trade Commission , the U.S. Department of Energy (DOE) , and the Transportation Security Administration (TSA) .

Recent events demonstrate the National Cyber Security Strategy is more than just words on a page.

We are living through the most sweeping regulatory changes since Sarbanes-Oxley and Dodd-Frank.

The Wells Letters sent to past and present executives at SolarWinds is the first time ever a CISO has been advised the SEC is planning to bring enforcement action against a CISO.

We are seeing product vendors and service providers being held accountable for the security of their offerings. The chair of the powerful , Senator Ron Wyden (D-Oregon), sent a letter demanding the U.S. Department of Justice , Cybersecurity and Infrastructure Security Agency , and the Federal Trade Commission open separate probes into Microsoft’s “negligent cybersecurity practices” that led to high-level intelligence gathering activities against the U.S. President’s cabinet and potentially other western Allies.[1] [2]

We are in the phase where regulators with existing authority are flexing their muscle. The next phase will be net new legislation to fill regulatory gaps and to expand existing authority.

This is the first of three proposed Cyber rules by the SEC.

The recently passed rule focuses on publicly traded companies (with some exceptions). The other two rules in the pipeline fold in the rest of the ecosystem (aka., other market participants).

All three sets of rules support the Security Exchange Commission missions of:

·?????protecting investors,

·?????maintaining fair, orderly, and efficient markets,

·?????facilitating capital formation.

Much of the criticism from InfoSec professional centers around the rule changes not going far enough. There are some things many of us would have liked to have seen in the recently passed rule. A few things myself and others advocated for, were incorporated. With a bit of luck others will be incorporated in the future.

On balance the recently passed rule is pretty good. Clearly better than nothing. I doubt anybody believes this rule will NOT experience updates and clarification as we evolve. This is a regulatory example of “the art of good enough” and “not letting the perfect be the enemy of the good.”

Big Wins.

Public/ Private Partnership. The biggest win is the treatment of cyber incidents as national security and potentially global events. By doing so it opens the door to bring the full force of the U.S. Government and potentially its Allies to respond to incidents. Let’s face it, the most damaging incidents are from Advanced Persistent Threats (APT) backed by Nation States. A single organization cannot go it alone. No single market participant has the resource, the heft, or the authority to counter APTs especially Nation States alone. It requires a partnership between Government and Industry on a global scale.

How does the new rule do that? The rule incorporates a National Security review by the Attorney General’s office. The AG review provides the opportunity for incidents to be triaged to determine if it is a single event or part of something larger. You can bet, their assessment will include reports from other market participants along with the Intelligence Community (IC) and Law Enforcement. The AG can determine the true source, the motivation, and the breadth of the situation. The primary question is this a one-off event or part of a larger strategy? Based on the AG’s determination the four-day reporting requirement can be tolled (i.e., the clock suspended).

If determined to be an act by an APT or a Nation State the U.S. Government and its Allies can determine what collective response is warranted, potentially including economic, diplomatic, offensive cyber, or kinetic.

Over time these public/ private partnerships will minimize, hopefully eliminate, threats while also promoting the cyber resilience of organizations.

Impact is more than just near-term financial. While Material is not specified in the rule, communications from the SEC talk about systemic risk and contagion. Communications from the SEC also talk about impact being more than just near-term financial loss, like reputational damage, loss of market share, and the loss of Intellectual Property (IP).

Cyber as part of Risk Management. Material cybersecurity incidents and cybersecurity risk management processes are to be reported more consistently and in a more standardized way. Doing so, investors and other market participants can make more informed decisions. Doing so also trends towards a overall reduction in cost of compliance.

Today, cyber is reported inconsistently, not always as a risk, and often not at all. Some have stated there are about 100 risks an organization must manage. Cyber is one of a few that can affect the others. It is also one of the few that has an intangible impact, often with a long tail. Why would somebody invest (aka buy stock) in a company with poor cyber hygiene?

Impact on the Board and Senior Leadership. While some argue the rule does not go far enough requiring cyber and technical expertise on the board it does take the board conversation up a notch. With this rule, cyber becomes increasingly part of the Board’s Duty of Care, its Duty of Loyalty, and its Fiduciary Responsibility.

The required reporting combined with the increased transparency incents organizations to reduce the frequency of incidents, to reduce the extent of an incident (e.g., Blast Radius), and incentivizes organizations to recover faster (increased resilience).

Fold in enforcement actions like the Wells Notices sent to Solar Winds’ leadership and the Congressional push for investigations of Microsoft’s cybersecurity practices, you can bet organizations are paying more attention to their cyber practices.

It is about resilience. Cyber is no longer just the purview of the technologist. Historically, Cyber was treated as a technical problem handled by the technologist. It is now a Board conversation regarding people, process, technology, and organization cooperating to achieve a resilient organization who defends, detects quickly, and recovers quickly without losing a beat.

Disappointments.

The biggest disappointment (for me) has nothing to do with the rule itself. It is that it passed three to two, on partisan lines. Cyber should not be a partisan issue. Cyber needs to be bipartisan. Fingers crossed.

Given the interconnected nature of the modern enterprise, the increased use of third parties (e.g., the Cloud), and the remote workforce it would have been good to see more emphasis placed on Third Party Risk Management (TPRM). It is only a matter of time.

A better definition of Material or Value at Risk (VaR) would be helpful. In all fairness, that is a much larger debate far beyond just cyber. As assets have become increasingly intangible, the accounting of those assets have become more difficult.

Further reading.

The National Cyber Security Strategy can be found here:

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

An excellent article on the National Cyber Security Strategy by Brandon Williams can be found here:

https://www.dhirubhai.net/feed/update/urn:li:activity:7064279714537840640/

The National Cyber Security Strategy Implementation Plan can be found here:

https://www.whitehouse.gov/wp-content/uploads/2023/07/National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf

The SEC’s final rule (recently passed) can be found here:

https://www.sec.gov/files/rules/final/2023/33-11216.pdf

The proposed rule changes for the rest of the market participants (Release No. 34-97142; File No. S7-06-23) can be found here . The Fact Sheet is here . PSA, the proposed rule changes are over 500 pages. Public comments to this proposed rule are located here . My comments to this rule can be found here .

SEC Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

https://www.sec.gov/news/statement/uyeda-statement-cybersecurity-072623

Mayer Brown provides an excellent table mapping out the specifics of the recently passed rule.

https://www.mayerbrown.com/-/media/files/perspectives-events/publications/2023/07/legal-update--sec-adopts-final-rules-on-cybersecurity-disclosures.pdf?rev=ab50ec887d4a4ee8967bd07f5c722921

All public comments to the recently passed rule can be found here:

https://www.sec.gov/comments/s7-09-22/s70922.htm

The public comments submitted in a joint response with the Head of the Corporate Governance program at 美国哥伦比亚大学商学院 , Shiva Rajgopal and myself can be found here:

https://www.sec.gov/comments/s7-09-22/s70922-20128410-291323.pdf

Our joint response was picked up by Harvard’s Corporate Governance forum:

https://corpgov.law.harvard.edu/2022/06/03/the-secs-cyber-disclosures/

[1] https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_cisa_doj_ftc_re_2023_microsoft_breach.pdf

[2] https://www.cnbc.com/2023/07/27/microsoft-must-be-held-responsible-for-china-hack-senator-wyden.html



Rod Hackman

Board Member-Cybersecurity Oversight | Corporate Governance & Development | Entrepreneur | M&A

1 年

Alex-excellent and insightful article. Thank you!

Sean Mahoney

Cyber Resilience | Cyber Risk Management | Speaker & Podcaster | Protector Against Ransomware

1 年

Alex - Agree with you that cyber issues should not be partisan.

?? Adam Shostack

Leading expert in threat modeling + secure by design. Training ? Consulting ? Expert Witness. "Threat Modeling" + "Threats: What every Engineer Should Learn from Star Wars." Affiliate Professor, University of Washington.

1 年

Great review, thanks! I think the transparency aspects are really important, if somewhat confused, and my notes are at https://shostack.org/blog/sec-cybersecurity-rules/

Chris P.

Cyber Planner, US Cyber Command

1 年

Alex Sharpe Look forward to reviewing your insights further.

Arsalan Ayub

(CISM, CDPSE, DTEF, CITA-F, CDPP)- Fintech Enthusiast, DeFi, Web3

1 年

Indeed More than just Compliance and Transparency thanks for sharing dear Alex Sharpe!

要查看或添加评论,请登录

社区洞察

其他会员也浏览了