Newly proposed cybersecurity rules, by the SEC, are putting immense pressure on corporate board members and executive leaders to take greater responsibility for cyber-risk oversight.
But those rules changes are raising more questions than they answer.
That’s according to a panel of leading industry and regulatory experts that the NYU Center for Cybersecurity hosted online on July 12.
During the Women Leaders in Cybersecurity event, six panelists discussed how corporate leaders should comply with significant new mandates about cybersecurity incident reporting, risk management, strategy, and governance—and, in particular, the implications of a controversial proposed requirement to report cyberattacks within four days.
Jocelyn Hunter, vice president and deputy general counsel at Home Depot, noted that companies and boards are trying to figure out “the new lay of the land” and act transparently. Fellow panelist Bethany Mayer, chair of the board at online storage company Box, noted: “As board members, we have to change.”
On March 9, the SEC proposed rules that would beef up disclosure requirements around a host of cybersecurity issues, including risk management, strategy, governance, and incident response. The new recommendations are in the comment period, but would potentially require actions such as:
- Filing a Form 8-K with the SEC within four business days of a material cybersecurity incident;
- Periodically disclosing company policies and procedures related to identifying and managing cybersecurity risks, management’s role in implementation, and the board’s cybersecurity expertise and oversight responsibilities;
- Updating information about previously reported incidents.
We are not trying to impose a regime.
Carolyn Welshhans, associate director of the SEC enforcement division and acting chief of the agency’s crypto assets and cyber unit, said during the panel that the final rules could wind up being “very different” from what’s been proposed. Some 100 comment letters have been filed with the SEC so far. The comments are being considered as part of the rulemaking process. Welshhans did not offer a timeline for when the rules would be finalized.
What’s behind the SEC’s new cybersecurity rules?
The increased frequency and intensity of cyber incidents in recent years has motivated the SEC to act. Cybercriminals have launched a jarring wave of ransomware assaults on U.S. businesses and critical infrastructure providers in recent years.
They’ve shut down meatpacking plants, gas pipelines, schools, and healthcare facilities. In each case, they’ve locked down victims’ computer systems and demanded money to return stolen data. From small businesses to entire governments—no organization is immune from these attacks.
Some of the problems of five years ago have still not been addressed by organizations.
The SEC’s proposal is therefore an “important callout,” said panelist Julie Cullivan, a board member at multiple companies and former IT leader at Forescout Technologies. “From a risk perspective, things have gotten worse over the last five years,” she said. “And some of the problems of five years ago have still not been addressed by organizations.”
Cullivan said that executive teams and boards need to engage better with cybersecurity issues. The SEC sees that the basics are still not being addressed and wants to ensure companies are being held accountable.
That sentiment was shared by Home Depot’s Hunter and panel moderator Judith Germano, a distinguished fellow at NYU’s Center for Cybersecurity and a former federal prosecutor. They agreed that companies should have taken basic steps years ago. Best practices for patch management and multifactor authentication have been well known for years. The federal Cybersecurity and Infrastructure Security Agency (CISA) has recently been beating the drum about the steady escalation and increasing sophistication of cyberattacks.
The SEC’s mandatory four-day rule
Corporate leaders and their boards are particularly concerned by one of the new requirements— that cyber incidents be disclosed within four days of being labeled a “material” event. The four-day rule, Germano said, is “problematic.” The time limit could cause companies to delay determining that an event is material and discourage them from making informal confidential disclosures to stakeholders and regulators for fear of triggering a public filing requirement.
It could also lead to public disclosures of incidents before the damage has been contained and systems have been patched, and before other impacted parties have been informed and have had the chance to protect themselves. “This can hinder, not help, cybersecurity,” she said.
“Within a four-day window, it is really hard to know what is going to be material,” said Mayer of Box. “It takes more than that amount of time to understand whether or not an incident is material.” In addition, early disclosure could flag that the company is in cyber distress, potentially inviting more attacks, she said.
The four-day period, Home Depot’s Hunter said, is still “a period when there are a lot of unknowns.” Law enforcement may be involved during this early stage, and they may advise against a quick disclosure in order to avoid scaring off criminals who could still be caught as they rummage through a system.
Cullivan said executives and technology experts have raised concerns that the four-day rule will lead boards to hold back on some of their early communication, which can be vague at best. “I have seen technology companies get attacked for not [holding back],” she said. “I am concerned that people will hold back because they are worried that that communication would be a signal too soon.”
But the SEC’s Welshhans thinks it’s a delicate balancing act between disclosure and speed, which can be critical during a cyberattack. “Once you have [determined that] something is material, that is something investors need to know about,” she said.
Still, Welshhans signaled that the four-day rule is up for discussion and that companies should not be afraid of disclosure. “The chances are,” she said, “that we are going to hear about it anyway, because if there’s a leak and it becomes public, you ultimately have to disclose it. We also hear about it from our other law enforcement partners.”
Board-level cybersecurity expertise needed
Given the new pressure for increased disclosures, it’s time companies added a cybersecurity expert to the board, said Mayer of Box. “Given the kind of risk companies are facing, particularly at large public companies, there has to be some level of knowledge, not just about the technology, but also about the legal and liability issues,” she said. “That has to be part of the knowledge of the board.”
Mayer, for her part, is concerned that even large companies don’t have a basic level of cybersecurity knowledge on the board. That can be a real problem when a cybersecurity breach occurs.
[Boards must] understand the interaction of cyber innovation with business leadership.
Panelist Nasrin Rezai, senior vice president and chief information security officer (CISO) at Verizon, shares the belief that companies and boards need to add more technologists to their executive structure. Boards and companies need to “understand the interaction of cyber innovation with business leadership to make sure business and technology and cyber are interlinked,” she said.
SEC: No “one-size-fits-all” solution
Welshhans said at the event that the SEC’s proposed rules will not be a “one-size-fits-all” regulation. The agency isn’t interested in prescribing an incident response playbook and other specific measures, she added. “Companies need to figure this out,” she said.
Assessing and responding to risk is different for every company. “We are not trying to impose a regime,” she said. “And even with the best cybersecurity in the world, something is going to happen.” Still, investors need more material information about breaches when they occur.
It’s a really challenging time, and it’s also a time when there are a lot of hands on deck.
The SEC must tread a fine line between accountability and being “overbearing,” said Germano of NYU. Lawmakers, businesses, and trade organizations have criticized the rules, saying they are needlessly burdensome, could endanger national security by publicly exposing sensitive information, and would impose unprecedented micromanagement by the government.
Hunter from Home Depot summed up the criticism by noting that well-intentioned proposals like a four-day disclosure requirement could add an unnecessary layer of stress to an already stressful situation. When there is a cyber event, “it’s a really challenging time, and it’s also a time when there are a lot of hands on deck,” she said. “And this would just add to what everyone is trying to do.”