About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions.
In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to an incident - in some cases, they proposed to take over the incident-response process or wanted the third-party provider to make a determination within hours of whether a breach could be material, says Cobb, who manages cybersecurity for risk intelligence firm SecurityScorecard.
The company has even seen similar contract language proposed by its own customers, he says.
The impact on private third-party providers is just one way that enterprises are attempting to change their operations to comply with the SEC's mandate.
Already chief information security officers worry that they will be held to account for any mistakes in determining the materiality of a breach and point to the prosecution of SolarWinds' CISO as representing the personal risk of the position.
Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach.
Overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud-security firm VikingCloud.
Large Public Firms Already Have the Tools The largest public companies already have disclosure committees to determine whether a variety of events - from severe weather to economic changes and geopolitical unrest - might have a material impact.
Adding cybersecurity incidents to their purview requires that various groups - IT, cybersecurity, legal, and business - be brought together and be presented with the necessary information to make a determination, says Naj Adib, principal for cyber and strategic risk at consultancy Deloitte.
CISOs can use tabletop exercises to help companies create the right process for determining materiality and to collect the evidence needed to sign off on a disclosure within the four-day window.
Companies that cannot determine the impact of an incident with certainty could result in preemptive disclosure of a breach to satisfy potential notification requirements.
Such concerns led financial-services giant Prudential to proactively file a disclosure statement with the SEC in February, despite the fact that the company had only started its investigation and had no indication that the breach would have a material impact.
Every Company's Response Differs While larger companies have focused on the issue for over a year - even before the rule was finalized - smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers.
Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.
There have not been a large volume of filings, so there is not enough data to pick out a trend, he says.
Failure to Report Smaller companies - and third-party providers - are likely less prepared and a worry for their publicly-traded clients.
Companies with smaller cybersecurity teams - where analysts also configure security controls - can run afoul of regulations due to the human element.
In a survey of security teams, for example, VikingCloud found that four-in-ten cybersecurity professionals have not reported an incident for fear of losing their jobs.
While SecurityScorecard's Cobb feels he has the support needed to create a strong cybersecurity process to comply with customers' disclosure needs, he also believes he is in the minority.
For the most part, CISOs are being asked to take responsibility for a determination of materiality when they often have neither the authority to make recommendations nor the budget to implement them, he says.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 17 May 2024 14:00:55 +0000