Ep. 1: Why the SEC’s New Cyber Rules Are Causing Controversy

Summary

New rules proposed by the SEC will regulate how companies manage risk and respond to cyberattacks. Former federal prosecutor Judith Germano discusses today’s cyber catch-22—enterprises must be transparent about cyber policies (to prove, well, that they have cyber policies) yet not reveal too much to hackers.

HOST: Doug Thompson, director of technical solutions engineering and chief education architect, Tanium
GUEST: Judith Germano, distinguished fellow, NYU Center for Cybersecurity

Show notes

To learn more about this issue, check out these articles in Focal Point, Tanium’s online cyber news magazine.

• New SEC Cyber Rules Put Boards and Executives on Alert
• ICYMI: Top Companies Are Debating the SEC’s New Cyber Rules
• How Boards Are Preparing for Increased Federal Oversight of Cybersecurity

Transcript

The following podcast transcript has been edited for clarity.

Judith Germano: The SEC rules make it clear, if it hasn’t been clear already, that cybersecurity must be prioritized… at the highest levels of organizations. Sometimes what happens in a company is it gets very insular and they say, oh, we’re fine. And it’s only because they haven’t looked around all the corners and realized that they are not fine.

Doug Thompson: Hi, I’m Doug Thompson, and today on Let’s Converge, we’re talking the SEC—new cybersecurity rules and controversy.

Now, I gotta tell you, I live in Texas, so maybe that’s why I’m quick to see things as a showdown. It’s high noon and somebody’s gotta win. But that’s what it feels like. Sometimes there’s tension between the government and private enterprise, especially when it comes to cybersecurity. It’s like Friday Night Lights, and the two best high school teams are battling it out for the championship.

The latest dust-up between companies and the feds is over a set of new rules proposed this year by the SEC. If approved, the rules will regulate how companies manage risk and respond to cyberattacks. One controversial rule would require companies to report cyberattacks within four days of being deemed a material incident. Another stipulates that companies must disclose certain cybersecurity procedures they have in place in order to prove that they do in fact have procedures in place.

The government insists that the only way they can get a handle on skyrocketing cyber threats is to know what’s happening to companies and force them to take cybersecurity seriously. While that may sound good to some, my guest today says that, eh, it’s not quite that simple. Judith Germano is a former federal prosecutor and a distinguished fellow at NYU’s Center for Cybersecurity, as well as an adjunct professor at the university’s School of Law. Judi recently convened an expert panel to discuss the SEC’s proposals. An all-woman expert panel, by the way, and we’ll get to that.

How are you doing, Judi?

Germano: Very well, Doug. Thanks for having me.

Thompson: Thanks for coming on. I want to jump right into this. Your law firm advises companies and boards about cybersecurity risk and regulatory compliance. So I know you’re in the thick of this and I imagine you’re having the same conversation with a lot of concerned board members saying, look, if you haven’t started taking cybersecurity seriously, it’s the fourth quarter, you’re behind by a touchdown, and the clock’s running out. Because the SEC is really looking to tighten the reins on these new proposals, aren’t they?

Germano: Well, the SEC actually has been issuing guidance on cybersecurity issues for a number of years, but the new guidance they’ve proposed now is very significant in terms of what they’re asking companies to do.

Thompson: These new rules, they’ve sort of gotten everybody’s feathers ruffled. Particularly the requirement that they have to report within four days, which I think is a good idea. I always think transparency is better than trying to hide things. But some say you have no business doing this, that this is overreach. What do you think about that?

Germano: The four-day reporting requirement is a little bit troubling. Companies have to report within four days of determining that an incident is material, and the issue really is how they have to report, and to whom. It’s a public filing, an 8K report, which alone can often take a significant amount of effort for a company to do. And if they’re in the context of responding to a cybersecurity incident within four days of knowing it’s material, you still may need to have that time to notify others who are impacted by the breach, such as customers or partners or others in your supply chain—and also to make sure that the breach is addressed, that the vulnerability has been closed off.

And so, to have to also divert resources within an organization to then make formal SEC filings about it and make sure investors know within such a short turnaround, I think in some ways can actually impede cybersecurity. One, because it’s diverting resources from the issue; two, because it may cause some companies to hold off on determining something is material and not tell potentially impacted customers as soon as they should. In that way it could really undercut cybersecurity.

Thompson: I understand the government’s frustration: Too often companies want to keep something like this quiet. But is the SEC the best organization to be overseeing this?

Germano: I wouldn’t say they’re the best; I’d say they’re one of many in the government who are seeking to address cybersecurity. The SEC certainly carries a lot of weight and gets attention for publicly traded companies and SEC-regulated entities. So it’s important for them to weigh in on cybersecurity because they know that companies will listen, because they carry a big stick.

Thompson: You mentioned the public companies, but do private companies have to follow these rules as well?

Germano: No—well, mostly no. The rules apply to SEC-regulated entities, so publicly traded companies or companies registered with the SEC, such as registered broker dealers or financial advisers. But what is interesting is as we see more and more regulations come out, including these proposed rules, they can be used as a benchmark and a point of reference for other companies that may not be specifically regulated by the SEC, but in other litigation, understanding what are the best practices, what are the appropriate timeframes for disclosure? And using those as reference is one of the things that we might expect to be coming out.

Thompson: Another proposed rule by the SEC would force boards to disclose their cyber policies and procedures. This concerns me a little bit. I mean, it’s like in baseball, if I can steal your pitcher’s signs, I know what pitch is coming, it makes it a lot easier for me to get a hit. If hackers know what policies and procedures are in place, they’ll know what to work around.

Germano: Yes, it’s a good point that you make. And the rule about disclosing the policies and procedures with regard to managing cybersecurity risk, there are pluses and minuses with that, Doug. I’d say on one hand, the benefit or the intention is to encourage companies to have good cybersecurity processes in place because they have to disclose what they’re doing. And we’re unfortunately seeing far too many companies fail to sufficiently prioritize cybersecurity and proactive cybersecurity measures. On the other hand, there is a real risk of exposing the low-hanging fruit, making it easier for attackers to know which companies to target if they don’t have the right processes in place at the time. So we’re going to need some direction and be careful how we walk the line of giving information about what responsible steps entities are taking to manage cybersecurity. And they all should be doing that by this point, but many still are not. But at the same time, while giving those steps and discussing the process, not revealing the code to the safe, or giving out way too much to let hackers find their way in too easily.

Thompson: Yeah, that’s always the delicate balance. So assuming these things are approved, or some flavor of them is approved on this, how does someone, as a board member, how would I start getting prepared? What do I need to do? Because there’s gotta be some strategy involved and getting the right people in and things in place.

Germano: Yes. So for a board, the SEC rules make it clear, if it hasn’t been clear already, that cybersecurity must be prioritized within organizations and at the highest levels of organizations. So we’re at a point now where we need people on the board who understand cybersecurity and the right questions to ask regarding cybersecurity and what management is doing to appropriately consider and manage cyber risk as part of overall enterprise risk.

In terms of specific steps that companies and boards should be taking, it needs to be proactive, understanding what threats the company or organization faces, what systems are in place in terms of very basic practices such as multifactor authentication, firewalls, regular update and patch management practices, and who’s the team? Are there sufficient financial resources and human resources dedicated to cybersecurity? And are they all talking to each other? And to figure that out, I think it’s important to have good internal assets and also look to external advisers for briefings and updates.

Because sometimes what happens in a company is it gets very insular and they say, oh, we’re fine. And it’s only because they haven’t looked around all the corners and realized that they are not fine. So it’s good to have third-party audits and checks as well, to make sure there aren’t holes in cybersecurity that need to be addressed quickly.

Thompson: Well, I think you hit upon an important point, because there are times where we have to self-attest or self-report, “Hey, we did this, we’ve got this in place.” But having a third party and neutral third party, so to speak, to validate that you are doing what you say you’re doing, I think it’s very important.

Germano: I think it is very helpful, and companies are at different levels of maturity with regard to cybersecurity. Some have really detailed and terrific teams, and others need to rely more heavily on outsourcing of cybersecurity. And there are ways technologically that they can reduce their threat profile by using reputable cloud service providers and ensuring that there’s sufficient basic cybersecurity protocols like I mentioned—multifactor authentication, strong password management and practices (to the extent they’re using passwords), and other options like that.

But I do think it’s important, maybe not that it’s required but that companies consider what internal and external resources they have and are they not just spending money on cybersecurity, but is it smart spend that makes sense to best protect the company? And then of course, is it documented, because when the attacks do happen, they may have to address it to the SEC, to investors, to third parties or customers or litigants. So it’s important to document good cybersecurity practices proactively. And then in a response as well.

Thompson: You mentioned that boards—and I’ve seen this a lot—typically don’t have a lot of technical expertise, sometimes because they can’t or haven’t been able to attract it in the past. Why do you think that is?

Germano: Cybersecurity is a growing and difficult issue, and I think some boards have great cybersecurity expertise and others have room to grow and improve in that area. And I think part of the issue, Doug, is that there’s a shortage in terms of good cybersecurity talent—not just people who say they know cybersecurity but who actually have worked in the field and understand the threats. And not always from a technological perspective, though, that’s a critical part of it, but it’s an interdisciplinary challenge.

So you need to understand governance and procedure and protocols of cybersecurity as well as necessary technological steps or the questions to ask to ensure that those are being addressed. And having strong leadership and crisis management skills is also important for cybersecurity professionals. That’s an area where there’s high, high demand and a bit of a talent gap.

Thompson: You mentioned the talent gap. It’s been tough for companies to fill cybersecurity jobs, period, and particularly challenging to find women for these roles. This is important to me. I have daughters and granddaughters, and I’ve always encouraged them to pursue any field that they want, even if it wasn’t traditionally thought something that girls should do. Now I notice your law firm is women-owned and -operated and you chair an all-women cybersecurity panel. So this isn’t impossible. But how do we bring more women into the field?

Germano: I think there’s a lot of things being done and a lot more work to be done to increase the cybersecurity pipeline generally, and in particular with women and underrepresented persons in cybersecurity.

One of the things I’ve been doing is, since 2016, I’ve created and run the women leaders in cybersecurity programming at NYU, and we bring together thought leaders and executives in cybersecurity from business and government and academia for substantive panel discussions. It’s a way to show that there are a number of really terrific, knowledgeable and experienced women in the field. Because what happens is all too often people will turn to the usual folks they know and then those are the people getting put on panels or [put] in consideration for jobs. And it’s important to look a little bit further and realize that there are a lot of amazing women and underrepresented persons or groups who are also involved, and to make that extra step.

In addition, we need to focus on training the next generation of leaders, and companies can do that within their organization, even if someone may not have the exact cybersecurity experience but is smart and talented and a good team player, to give them the training and skills and support necessary to grow into the roles. I think that’s also important. That’s another part of my work at NYU, where I teach in executive education programming, including the master’s in Cybersecurity Risk and Strategy program, which is a collaboration between the law faculty and the engineering school to help train the next generation of cybersecurity leaders and executives who are currently in the field but looking to advance into leadership roles.

Thompson: How do we get employees to think differently about [cybersecurity] if they’re not doing it as a career— I’m not in that field, I don’t like to code, I don’t look good in a hoodie… How do we encourage those people to sort of get into this?

Germano: That’s a terrific question, Doug, because one of the really important things is to recognize that cybersecurity is an interdisciplinary challenge that requires diverse perspectives and diverse experience. There are so many different skill sets that go into a good cybersecurity professional, and we need people from very different backgrounds to consider how they can help in this cause and in this field. And also to appreciate the great job opportunities there. We need folks who are good leaders and can keep a strong head in a crisis, manage a team, understand business strategy and governance.

Some of those people may or may not understand technical details of cybersecurity or the engineering components of it. And then there are folks who are incredibly skilled engineers who may not see themselves necessarily in leadership or business or board roles, and they also need to understand what are the tools and important pieces to bring to the table for them.

And so I think that from many different backgrounds there’s really great opportunity to work in cybersecurity and to help both in organizations and government and to serve on boards and cybersecurity for people who understand this interdisciplinary approach and can bring different perspectives but also be sufficiently comfortable to say what are the parts they don’t understand? Where do they need more education and training, or where would they rely on an external adviser or expert to help fill some gaps in knowledge?

Thompson: That’s a great point. It takes a team, it truly takes a team to do this.

Germano: The other thing that’s changed over the years is that companies are so often judged and facing enforcement actions or civil lawsuits, not necessarily on the fact that they were breached but for how they handled the incident: Did they have the right communication strategy internally and externally? Were they sufficiently cognizant of who needed to be notified on what timeframe? Did they do the necessary steps?

For example, it might be reaching out to law enforcement, coordinating with law enforcement, working with partners and customers in the right way to be sufficiently transparent about what was going on and what happened. That’s a key component. But at the same time, you need to protect the organization and be responsible in terms of managing the vulnerabilities in time to not make a situation worse. That requires good judgment and good leadership.

Thompson: It sounds like you’re saying everybody should assume they’re going to be breached and plan accordingly: What would you do? And run through these exercises, as opposed to just saying we’ve got good things in place and that’ll never happen.

Germano: Absolutely, absolutely. We’ve said that for a long time, and we’re hoping that companies understand it’s just a question of when. Accepting that will help in the crisis. We can spend less time on the blame and the fear and just say, Well, here it is; what are we gonna do about it? How quickly can we right the ship, respond to the incident, and focus on protecting our customers and stakeholders and organization—especially the information data and systems that might be implicated.

Thompson: And I think that’s a good way to wrap it up. Judi, thanks for your time and your insight.

Germano: My pleasure. Thanks so much, Doug. Great speaking with you.

Thompson: I’ve been talking to Judith Germano of NYU’s Center for Cybersecurity.

If you’re a board member or a company executive, you can learn more about the SEC’s proposed new rules at Tanium’s new online cyber news magazine. You can also check out an ongoing series of articles about how boards are facing up to rising cyber challenges and greater federal oversight. Just go to tanium.com.

To hear more conversations with today’s top security leaders, make sure to subscribe to Let’s Converge on your favorite podcast apps, such as Apple Podcasts and Spotify. And if you love this podcast, please give us a five-star rating.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.