The days and weeks that follow a security incident are never easy. Executing incident response investigations to determine what led to the event, while simultaneously grappling with potential operational disruptions, reputational damage, and dealing with concerns from customers and investors takes time.
Following a security incident, executive leaders and their security teams are faced with a host of questions: How and where did the attacker enter our network? Did data exfiltration occur? And most importantly: Has the attack been contained and vulnerabilities mitigated? The incident response process is a rigorous one and can take many weeks to successfully conclude. However, this process may be about to become even more complex, particularly for public companies.
Earlier this year, the US Securities and Exchange Commission (SEC) announced proposed amendments to its security incident disclosure requirements for public companies. If these requirements are formalized into law, one of the most notable proposed changes will require companies to disclose material security incidents within four business days of their occurrence — "material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock.
Specifically, the proposal would require:
- Form 8-K disclosure updates reporting any material cyber incident to be filed within four business days
- Periodic disclosures regarding the following: Updates about previously reported material cybersecurity incidents; company policies and procedures to identify and manage cybersecurity risks; management's role in implementing those policies and procedures; board of directors' cybersecurity expertise and risk oversight.
An Array of Challenges
These proposed SEC disclosure requirements present an array of challenges. First and foremost, very few incident investigations are completed within four days. In most situations, executive leadership teams and security teams won't fully grasp the extent of their "material" damages until much later. Currently, depending on the severity of an event, it can take weeks to fully contain, remediate, and measure the effects of the damage. Following this, it can take months for further forensic investigations.
Determining if the event rises to the level of material impact can realistically happen only after all of these steps are taken. However, if there's a four-day time limit imposed by the SEC, organizations will have to immediately consult with legal advisers to decide what needs to be disclosed publicly, and how to do so in the most pragmatic manner.
By adding this obligatory disclosure clause, the SEC could severely disrupt incident response. Most firms will not know if a material event has occurred within this timeline, and many will feel compelled to admit damages prior to the conclusion of an investigation. Firms undergo many nonmaterial cybersecurity events every year. A short disclosure timeline will only inspire panic and negative public scrutiny.
Containment and Remediation
The bigger threat, however, is the proposed law's implications on the containment and remediation phases of the incident response process. Once a security incident occurs, IT and security teams work tirelessly to repair systems and lock attackers out. The new SEC proposal could significantly interfere with this activity, requiring members of those teams to meet with directors, officers, law enforcement, legal counsel, members of the media, SEC investigators, investment analysts, and customers, all of which will take focus away from mitigating the incident itself.
This could lead to unpatched vulnerabilities or allowing attackers to further penetrate an organization's network. It may also jeopardize any investigations being conducted by law enforcement, who typically will ask to postpone any public disclosure so as not to compromise their work, and until after they have made any arrests.
While the four-day disclosure rule is the most significant proposed change, the requirement to provide updates on previously disclosed material incidents is also noteworthy. Up until now, there has been no formal external reporting required for previous security incidents and events, except for the most high-profile breaches that have already made headlines. This element of the law would create a new scope of work for public companies, forcing them to upgrade their level of reporting and documentation — a new task that promises to be difficult to manage and expensive to execute.
While the comment period for the proposed new rules has already passed and we should expect to see final regulations published soon, there are a few measures organizations can implement to prepare themselves, should these proposals be implemented as originally published in the federal register:
- Create a robust and comprehensive incident response process, one that outlines clear disclosure policies and procedures in the event of a security incident.
- Have the right partners in place, specifically compliance consultants and legal counsel that understand security and data privacy.
- Consider adding an executive leader to the security team focused on incident response to maintain operational command while the CISO is called away to liaise with SEC investigators, the press, customers, and investors.
- Set aside budget for settlements and litigation.
- Ensure your CISO or equivalent is covered under your officer and director insurance.
While we await the final verdict from the SEC, it is important that firms begin scoping out the resources they'll need to deploy in handling these new regulations, specifically the investor and government relations portions of the disclosure. Much like there are playbooks and plans for the actual security incident, there now also needs to be a plan in place for ensuring compliance with all disclosure requirements.