If the last few years have taught cybersecurity practitioners and corporate leaders one thing, it would be that cyber threat actors are crisis generators. Increasingly, the crisis that follows a cybersecurity event is more than technical exploitation, financial extortion, reputation control or shareholder response—but one must now also deal with regulator interest in breaches, interest that often extends beyond the basics of how the actor “got in” and what was “at risk.” Currently, regulators from the Securities and Exchange Commission (SEC), New York Department of Financial Services (NYDFS), and even the Department of Labor (DoL) are maturing their review and assessment processes that investigate victim organizations’ cybersecurity program health, incident handling, and reporting.
It is no longer sufficient for regulated industries to just react to incidents and the inevitable regulatory response. Companies must take an active role in maturing their programs so that they robustly counter potential risk. Current and future regulator activity, rulemaking, and trends associated with regulator responses to incidents must be incorporated into the broader company strategy and should be handled in accordance with a sound crisis management framework.
An example of the type of information that signals emerging regulator interest, strategic intent, and future expectations is a recent SEC press release issued on March 9, 2022 which proposed new rules on cybersecurity risk management intended to “standardize disclosures.” The detailed amendments are designed to “further inform investors about risk management, strategy, and governance” while also giving notification to investors of material cybersecurity incidents. Understanding these types of proposals, their intent, and the impact they will have (if adopted) is key to moving from a reactive posture toward actively predicting and defending against future risk.
One of the amendments sets the expectation the SEC will not only want reporting on material incidents but will seek periodic updates as those incidents mature. This new periodic update proposal will necessitate that companies redesign how they manage incidents, coordinate messaging, assemble the information required, and establish an appropriate method and manner of delivery. Failure to respond per required procedures, or in a manner deemed to be “insufficient,” could result in exacerbating the crisis subsequent to the breach event and create a broader problem with compliance and regulatory scrutiny.
Another component of the proposal, more expansive in scope and potentially problematic depending on the state of a given organization’s cybersecurity program, would require “periodic reporting” about the policies and procedures relating to the identification and management of cybersecurity risks. This broad mandate is one that companies subject to SEC enforcement actions should not ignore or risk taking a “wait and see” approach. These companies should immediately review the proposed requirements and begin formulating future response plans and procedures as part of modernizing their crisis management framework.
Finally, one more amendment would require “annual reporting or certain proxy disclosures about the board of directors’ cybersecurity expertise.” Does this mean the SEC is defining their own standards of expertise and will measure or assess this expertise over time? Is a company at risk of further scrutiny if they cannot report expertise at the board level? These are all questions companies should consider now, assess where they stand, and begin proactive efforts to weight and reduce potential exposure against their informed business risk appetite.
This one SEC announcement alone has demonstrated multiple examples of proposed changes that should encourage regulated entities to take action and no longer sit idly waiting to respond to incidents and the resulting regulatory response. Today’s realities require proactive measures that drive company posture to anticipating and even predicting regulatory risk. For companies of all stripes, now is the time to take action: recent regulator activity, rulemaking, and trends associated with regulator responses to incidents must be incorporated into a broader company strategy and should be mitigated in accordance with a sound crisis management framework.