What Do CISOs Have to Do to Meet New SEC Regulations?

Question: How can CISOs keep up with changing cybersecurity regulations?

Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer (CISO), but the past few months have felt particularly challenging. To the usual stressors of the job — such as the ongoing increase in ransomware attacks and the pervasiveness of insider threats — we can now add heightened regulatory enforcement scrutiny.

The recent charges from the US Security and Exchange Commission (SEC) against SolarWinds' CISO is the first time a CISO has been singled out in this way by the agency. This suggests a larger trend of increased accountability for individuals in charge of managing organizational security programs.

In addition, companies traded on US exchanges must comply with the SEC's new cybersecurity disclosure and incident reporting rules starting now, and qualifying smaller companies must comply with the incident reporting rules in spring 2024. These changes put organizational security programs under even greater scrutiny and add to the load of responsibilities CISOs must track.

It's no surprise that many CISOs are feeling more pressure than ever.

These new rules and liabilities do not necessarily need to be a hindrance to a CISO's work — in fact, they can actually be a source of support for CISOs. SEC rules around cybersecurity disclosures and incidents have historically been somewhat hard to discern. By clarifying requirements for disclosing security risk management programs, governance, and cyber incidents, the SEC is providing CISOs with a guidebook.

In addition, the SEC's increased expectations for risk management and governance may give CISOs greater standing to demand internal resources and processes to meet those expectations. New requirements for publicly traded companies to disclose risk management practices to investors create additional incentives to strengthen proactive cybersecurity defenses. Even before they went into effect, the SEC's new rules have heightened awareness of cybersecurity practices among company boards and non-CISO company leadership, which will likely translate to more expansive cybersecurity resourcing.

Public companies with robust security programs that include continuously identifying and mitigating vulnerabilities may be more attractive to investors from risk management, security maturity, and corporate governance perspectives. At the same time, companies that take a proactive stance to reducing security risk — for example, implementing and appropriately resourcing cybersecurity best practices like those contained in ISOs 27001, 29147, and 30111 — are less likely to suffer material cyberattacks that damage the company's brand.

This new regulatory landscape represents an opportunity for CISOs to take stock of their internal reporting procedures and make sure they're up to par. If publicly traded companies do not already have procedures to escalate significant security issues to executive management, these processes should be established immediately. CISOs should help prepare disclosures about company risk management processes. They should also help ensure the company's public statements about security are accurate, fulsome, and not misleading.

Under the new SEC rule, public companies must disclose within four business days any cybersecurity incident deemed "material." But many incident responders are wondering what it means to be "material," especially when the SEC declined to adopt a cybersecurity-related definition of "materiality" in the rule and kept the standard familiar to investors and public companies. An incident is "material" if information about that incident is something a reasonable shareholder would have relied on to make informed investment decisions or when it would have significantly altered the "total mix" of information available to the shareholder.

Practically speaking, determining what is and isn't material is not always obvious. While an incident responder may be used to assessing the security implications of an incident, such as how many records were impacted, how many unauthorized users had access, or what type of information was at risk, they may be less accustomed to thinking about the broader implications for the company. That's why many companies are putting protocols in place — such as referral to an internal committee made up of security professionals, lawyers, and members of the C-suite — to assess not just the security risk caused by an incident, but the impact to the company overall. An interdisciplinary team is more likely to be able to assess whether the incident exposes a company to liability, affects the company's financial position, disturbs the relationship between the company and its customers, or affects the company's operations due to unauthorized access or disruption in service, all of which are relevant to the materiality determination.

With some conscientious adjustments to standard operating procedures, CISOs can adapt effectively to this new regulatory climate without drastically increasing workloads or compounding already high levels of stress.