The SEC’s new cybersecurity rule is designed to protect investors and ensure companies take security seriously. But it creates as many questions as it answers.
Public companies must report material cyber incidents within four days. They must also describe its impact, including whether data was publicly disclosed and the steps they took to mitigate the risk. Cybersecurity management processes must be disclosed in annual reports.
SEI Sphere director of cybersecurity Mike Lefebvre said regulators have to take steps to help companies as they face increasingly sophisticated attacks. It’s a game many will lose without help.
Cybersecurity steps weaponized by criminals
But any regulation needs to be carefully thought out. Cybercriminals weaponize regulations as threat tactics. One reported a victim to the SEC for non-compliance as part of its extortion campaign.
“They’re telling on their victims,” Lefebvre said. “Here we are making a regulation that’s given threat actors another leverage point. We have to figure out how to be smart about what we’re doing from a regulatory standpoint.”
The rule is vague in definition. What is a “material” breach? Lefebvre said it’s a grey area. Companies might not report out of pure ignorance or to maintain plausible deniability. Many will be unable to define “material”.
Raising the cybersecurity tide for all boats
Requiring strategy disclosure in annual reports allows investors to see how seriously organizations take cybersecurity. It’s forcing some to be more dedicated and transparent in their approach.
Will that openness raise the security level for all boats, as companies will be forced to keep up with the Joneses? Lefebvre cautions that regulations mandate the bare minimum. They may keep the ship afloat but guarantee little beyond that. Still, the net result is progress.
“I do believe it is forcing a rising tide,” he said. “It is forcing a level of maturity (from) organizations in how they think about cyber risk. They must address it and not expect it to be this esoteric thing that could never happen to them.”
Will the requirement to publish cybersecurity strategies have criminals looking for the leaky boat? Lefebvre doesn’t think so. He said companies must describe their overall approach but not the basic ingredients.
Why third-party relationships matter
SEI Sphere is a regulated financial institution and a managed service provider. Lefebvre said that gives his company a unique perspective and a high standard that allows them to provide enterprise-grade security to clients of all sizes. Just as companies use lawyers and accountants because of the importance of those tasks, so should they use third-party professionals.
“I use an accountant for my taxes because the cost of getting it done right far outweighs the risk of doing it wrong,” he said. “It’s no different with cyber; let’s pay upfront. Let’s invest now to get it done right instead of doing it wrong because when we’ve had a failure, we have to fix it, there’s the lawyer fees and brand reputation.”
“At the end of the day, data’s at stake. It’s personal. We’re talking about organizations in healthcare and finance. Whatever industry you’re part of, your data is part of this ecosystem that’s being held hostage. Everyone should feel compelled to solve this because our personal data is at risk.”
Four days might not be enough time
Is four business days enough time to report a material breach? Lefebvre said that’s the $1 million question. It’s hard to report a fire while you’re fighting it. Which systems are impacted? Which business units are involved? When did it happen? How is the criminal reacting to your efforts?
“There’s a lot of cooks in the kitchen during an incident,” Lefebvre said. “All the while, there’s an active adversary on the other end of the keyboard, manipulating and working in lockstep with what you’re doing. So, amidst all that backdrop, it’s a bit of a circus. And we’re trying to figure out how we properly position ourselves, not to indemnify ourselves, to not tell our hand to the attacker that we understand we’re being attacked?”
There’s much at risk for companies who report. While MTTR (mean time to repair) is an oft-cited statistic used to compare companies’ effectiveness in addressing cybersecurity breaches, reporting a breach lets criminals know you’re on to them.
“Attackers can lurk for months. You tell the SEC, they know and pull the pin or change tactics,” Lefebvre said. “There’s a real balancing act that we need to do here between understanding the need to protect investors and the need to protect the organization. But we’re playing with an adversary that didn’t play by the rules.”
AI – the good and the bad
Lefebvre said AI brings both excitement and challenges. On the positive, it’s a curated librarian who can connect the dots in new and exciting ways. On the negative, it improves cyberattack quality by removing bad grammar and other telltale signs of infiltration. Still, as with any disruptive technology, Lefebvre believes we must embrace it because if we don’t, the other side will, and we’ll fall behind.
Another cybersecurity aspect that must change is the mindset innovators bring at the outset. Computer science students are graded on code that works, whether it’s secure or not. He said that’s why security has always been an afterthought.
“But we’re getting better,” Lefebvre admitted. “That aligns with the whole shift of software development and getting security involved earlier in the development process. It’s always been buying the technology, implementing it, building it, connecting it, and then what have we done to expose ourselves that we didn’t even think about?
“My hope is there’s a future where it’s not just technology and security are separate, but that secure technology is one word, and that every technology is being thought about in a secure manner, about whatever risk is being brought onto that organization.”