Last March, the U.S. Securities and Exchange Commission (SEC) proposed a series of rules to "enhance and standardize" publicly traded companies' disclosures about cyber incidents and their practices for managing and governing cybersecurity risk.
In their official document, the SEC proposes that registered companies adhere to the following:
- Disclose information on material cybersecurity incidents in their 8-K filings within four business days of identifying the incident's impact as material.
- Provide updates in their quarterly and annual reports (10-Qs and 10-Ks) on material cybersecurity incidents they previously disclosed in 8-Ks.
- Notify the SEC when previously undisclosed, immaterial cybersecurity incidents become material.
- Describe their policies and procedures for identifying and managing cybersecurity risks, including whether they have a CISO (or someone in an equivalent role), reporting relationships for the CISO, and whether they consider cybersecurity as part of their business strategy, financial planning, and capital allocation practices.
- Describe their boards of directors' and senior management team's expertise in assessing, managing and governing cybersecurity risk and in implementing cybersecurity policies, procedures and strategies.
The rule changes are intended to bring consistency to the way SEC registrants report on cyber risks and incidents, and to provide investors with information they can use to better assess an organization's overall risk profile. However, they've become a source of concern for both C-level leaders and corporate directors, not to mention a wellspring for debate. For cybersecurity practitioners, the central question is whether the proposed rules–which go into effect on April 1, 2023–will ultimately improve or undermine an organization's cybersecurity posture.
CISOs' views on the impact of the SEC's proposal vary. Some welcome it. Others urge caution. Here, we present highlights from public comments that several prominent CISOs filed with the SEC or posted to their LinkedIn profiles. We're grateful to these CISOs for the time they spent drafting these comments and for sharing their informed and experienced perspectives in the public interest.
What CISOs Are Saying About the SEC Cyber Rules
Jerry Perullo, the esteemed former CISO of IntercontinentalExchange (parent company of the New York Stock Exchange), lauded the SEC's proposed rules for their focus on driving "the right outcomes while avoiding over-prescription." In his detailed public comments, he offered reasonable and nuanced suggestions for implementing the incident disclosure and governance rules in a way that wouldn't arm threat actors with new details on registrants' vulnerabilities or specific security practices. He also advised the SEC to improve its examples of incidents that would merit disclosure and urged them to provide clarity on gray areas, like whether organizations would need to disclose a ransomware attack they successfully contained to a single or limited number of computers.
"The Commission has done well to focus on material cybersecurity incidents. Other authorities have flirted with the notion of incidents that merely present the potential of jeopardy, panicking industries recognizing a potentially limitless expanse of reportable events. Materiality has been core to the Commission's remit since the Securities Act of 1934, and it is wise to extend this notion—which preserves signal-to-noise ratio for the investing public—to cybersecurity."
–Jerry Perullo, former CISO, IntercontinentalExchange
In his forceful public comments, Bill Shields, Executive Vice President and CISO at TransUnion, echoed concerns shared by many of his peers when he urged the SEC to better define "materiality" and give registrants more than four days after determining materiality to report an incident.
"That turnaround is simply too short to collect and present the necessary information accurately and will inevitably lead to mistakes that do the opposite of what the rule intends—disclosures will misdirect the Commission and investors, rather than provide clarity."
–Bill Shields, EVP and CISO, TransUnion
Shields also cautioned the SEC against forcing companies to disclose too much information related to active and ongoing security investigations. "The interest of investors in transparency cannot override the need to effectively resolve an issue and prevent its recurrence, which itself is in the interest of not just one company's shareholders but the shareholders of any other company that may be under a similar threat."
Abhay Raman, SVP and CISO for Toronto, Ontario-based Sun Life Financial, noted the rigorous regulatory obligations around cyber risk management and incident reporting that publicly traded Canadian companies are required to meet, some of which are similar in spirit to the SEC's proposed rules and some of which go beyond. Due to Canadian regulatory authorities' strict requirements, Raman advised the SEC to continue allowing eligible Canadian foreign private issuers to follow their own domestic disclosure standards and documents to satisfy SEC requirements and to make compliance with SEC rules voluntary for Canadian filers.
"Not doing so," he wrote in his public comments, "would subject Canadian companies to additional incident reporting regimes that would distract critical resources with fulfilling reporting obligations rather than focusing on addressing a cybersecurity incident."
"We encourage the SEC to work closely with Canadian regulators to resolve any concerns with existing cybersecurity reporting regimes before imposing additional reporting requirements. Cross-border regulatory cooperation is a powerful tool to support regulators seeking to fulfill their mandate while also minimizing disruption to businesses."
–Abhay Raman, SVP and CISO, SunLife Financial
Andrew Heighington, CISO at Visit.org and former information security leader at Bank of America, JP Morgan Chase, and the U.S. Department of Defense, researched the cyber governance practices of the fastest growing Fortune 1000 companies in 2022 to get a feel for their readiness to comply with the SEC's proposed rules. He published his research in a widely viewed LinkedIn article and post. Among his findings:
- Only 36% met three of the SEC's criteria for cyber risk governance.
- 42% don't have a publicly named CISO or equivalent.
- 38% don't have a board committee designated to govern cyber risk.
"The lack of foundational cyber governance and leadership at many of these companies means it's highly unlikely there is agreement on the company's financial exposure to cyber risk, how much cyber risk the company is willing to accept, transfer, and reduce, what will constitute a material cyber incident to the business and trigger SEC reporting, and what cyber trends are emerging that the C-suite and Board need to be aware of as they craft their business strategy."
–Andrew Heighington, CISO, Visit.org
It's so important for CISOs to weigh in on these rules since they'll be responsible for putting in place many of the systems, processes, policies and practices to enable their organizations to comply. The CISO community is fortunate to have such a deep bench of mission-driven practitioners.