CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules

About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions.
In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to an incident - in some cases, they proposed to take over the incident-response process or wanted the third-party provider to make a determination within hours of whether a breach could be material, says Cobb, who manages cybersecurity for risk intelligence firm SecurityScorecard.
The company has even seen similar contract language proposed by its own customers, he says.
The impact on private third-party providers is just one way that enterprises are attempting to change their operations to comply with the SEC's mandate.
Already chief information security officers worry that they will be held to account for any mistakes in determining the materiality of a breach and point to the prosecution of SolarWinds' CISO as representing the personal risk of the position.
Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach.
Overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud-security firm VikingCloud.
Large Public Firms Already Have the Tools The largest public companies already have disclosure committees to determine whether a variety of events - from severe weather to economic changes and geopolitical unrest - might have a material impact.
Adding cybersecurity incidents to their purview requires that various groups - IT, cybersecurity, legal, and business - be brought together and be presented with the necessary information to make a determination, says Naj Adib, principal for cyber and strategic risk at consultancy Deloitte.
CISOs can use tabletop exercises to help companies create the right process for determining materiality and to collect the evidence needed to sign off on a disclosure within the four-day window.
Companies that cannot determine the impact of an incident with certainty could result in preemptive disclosure of a breach to satisfy potential notification requirements.
Such concerns led financial-services giant Prudential to proactively file a disclosure statement with the SEC in February, despite the fact that the company had only started its investigation and had no indication that the breach would have a material impact.
Every Company's Response Differs While larger companies have focused on the issue for over a year - even before the rule was finalized - smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers.
Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.
There have not been a large volume of filings, so there is not enough data to pick out a trend, he says.
Failure to Report Smaller companies - and third-party providers - are likely less prepared and a worry for their publicly-traded clients.
Companies with smaller cybersecurity teams - where analysts also configure security controls - can run afoul of regulations due to the human element.
In a survey of security teams, for example, VikingCloud found that four-in-ten cybersecurity professionals have not reported an incident for fear of losing their jobs.
While SecurityScorecard's Cobb feels he has the support needed to create a strong cybersecurity process to comply with customers' disclosure needs, he also believes he is in the minority.
For the most part, CISOs are being asked to take responsibility for a determination of materiality when they often have neither the authority to make recommendations nor the budget to implement them, he says.


This Cyber News was published on www.darkreading.com. Publication date: Fri, 17 May 2024 14:00:55 +0000


Cyber News related to CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules

Proofpoint's CISO 2024 Report: Top Challenges Include Human Error & Risk - In Proofpoint's 2024 Voice of the CISO report, the cybersecurity company found that CISOs are dealing with people-centric threats more than ever. Plus, cybersecurity budgets often don't change, and AI can help and hurt CISOs' efforts. Regarding the ...
5 months ago Techrepublic.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
11 months ago Feeds.dzone.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
11 months ago Techrepublic.com
What Do CISOs Have to Do to Meet New SEC Regulations? - Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer, but the past few months have felt particularly challenging. The recent charges from the US Security and Exchange Commission ...
11 months ago Darkreading.com
Human error still perceived as the Achilles' heel of cybersecurity - While fears of cyber attacks continue to rise, CISOs demonstrate increasing confidence in their ability to defend against these threats, reflecting a significant shift in the cybersecurity landscape, according to Proofpoint. CISOs' confidence is ...
5 months ago Helpnetsecurity.com
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules - About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions. In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to ...
6 months ago Darkreading.com
How the Evolving Role of the CISO Impacts Cybersecurity Startups - It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives. The CISO role has evolved dramatically in the past few years in response to ...
11 months ago Darkreading.com
Bringing Composability to Firewalls with Runtime Protection Rules - Rule control - Customers could not easily write their own firewall rules because of the use of proprietary languages that most teams weren't familiar with unless they received specialized training, or behind walled gardens only accessible by vendor ...
9 months ago Securityboulevard.com
What Are Firewall Rules? Ultimate Guide - Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. Network admins must configure firewall rules that protect their data and applications from threat actors. ...
9 months ago Esecurityplanet.com
Overtaxed State CISOs Struggle with Budgeting, Staffing - Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to ...
1 month ago Darkreading.com
SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect - The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. The SEC announced in late July that it had adopted new cybersecurity ...
11 months ago Securityweek.com
Navigating the New Age of Cybersecurity Enforcement - Many equate this move as akin to a bomb going off for people working in the CISO role. CISOs are now faced with unprecedented potential liability risks, prompting the need for a proactive approach to legal exposure for security executives. To shed ...
10 months ago Darkreading.com
Top 3 Priorities for CISOs in 2024 - As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues. This year - with a multitude of new privacy laws, Securities and Exchange Commission ...
10 months ago Darkreading.com
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
10 months ago Cybersecurity-insiders.com
Security tools fail to translate risks for executives - Organizations are struggling with internal communication barriers, which hinder their ability to address cybersecurity threats, according to Dynatrace. The results indicate that CISOs encounter challenges in aligning security teams with the C-suite, ...
6 months ago Helpnetsecurity.com
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
11 months ago Darkreading.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
1 month ago Cyberdefensemagazine.com
The New CISO: Rethinking the Role - Dating back to the 1990s, the role of CISO was more technical and IT-focused. CISOs face more risks than can be resolved, are expected to balance security with operational capability, and must convince leaders to invest in protection. Today, CISOs ...
8 months ago Darkreading.com
Soft Skills Every CISO Needs to Inspire Better Boardroom Relationships - In a recent survey of CISOs, 86% of respondents said the role has changed so much that it's almost become a different job altogether from what it once was. In addition to their traditional responsibility of defending organizations from an ...
11 months ago Darkreading.com
What CISOs Need to Know About Data Privacy in 2024 - While consumers continue to demand stronger personal data protections, companies are scrambling to keep track of an ever-evolving patchwork of applicable laws and regulations. In this environment, cybersecurity professionals need to understand the ...
10 months ago Cybersecurity-insiders.com
How to Minimize Friction in the Cyber Compliance Certification - Certification has always been a great way for companies to establish trust with their customers. While there's certainly an argument to be made that certification doesn't necessarily make your company more secure, today's buyers need to know that ...
11 months ago Cybersecuritynews.com
CISOs Reconsider Their Roles in Response to GenAI Integration - Chief information security officers face mounting pressure as cyberattacks surge and complexities surrounding the implementation of GenAI and AI technologies emerge. The vast majority - 92% - of the 500 CISOs surveyed by Trellix admitted they are ...
6 months ago Securityboulevard.com
Why CISOs and CIOs Should Work Together More Closely - Although there are overlaps in the goals and responsibilities of the CIO and the CISO, there are also challenges that get in the way of a more cohesive relationship, including reporting lines, organizational structures, budgets, and risk appetites. A ...
11 months ago Feedpress.me
3 Tips for Becoming the Champion of Your Organization's AI Committee - As organizations get a handle on how AI can benefit their specific offerings, and while they try to ascertain the risks inherent in AI adoption, many forward-thinking companies have already set up dedicated AI stakeholders within their organization ...
6 months ago Darkreading.com
Fewer cybersecurity professionals losing their jobs in breach 'blame' game - Cybersecurity job loss after a major incident is becoming less likely as organizations drop the "Blame" game for more practical approaches to breach prevention, a survey of 500 CISOs shows. More than 95% of CISOs reported their teams received greater ...
11 months ago Scmagazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)