As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more critically, which ones to omit. "This [SEC] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction," says Merritt Maxim, a Forrester VP and research director. In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the SEC. Although the new SEC rules take effect Dec. 18, CISOs can already look at the disclosures from three enterprises - Caesars, MGM, and two filings from Clorox - to get an idea of how to comply. Since the filings deal with very different incidents, it makes sense that the details contained are also very different. The filings do not share any details that are likely to change either. Most initial details are wrong, and reports are repeatedly updated as the days, weeks, and months go by. "Only report what you know by 80% to 90% certainty," says Dirk Hodgson, CISO of NTT Australia. "A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment." Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It's one thing to conclude that the incident is material, he says, but selecting which specific details are relevant and meaningful for the investing public is quite different. Clorox's SEC filings illustrate the "Report what you are confident about" point well, says Phil Neray, vice president of cyber defense strategy at Gem Security. Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of SailPoint. CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, more information was available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. CISOs should separate what happened from what the organization is going to do about it, Adib says. Higher Profile for Breaches From a practical perspective, nothing has changed regarding what has to be reported; the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing - within four days - and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front and center with every board of directors and with every CEO and CFO. "This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K," Booth says. CISOs should also bring corporate counsel or outside legal advisers into the disclosure discussions and decisions, says Accel's Brush. "The CISO's communications with the inside security team are all potentially discoverable," Brush says.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000