While there are no security silver bullets, there's often silver linings. Following an engaging AMA on the topic of recent SEC regulations for disclosing cybersecurity incidents deemed material to investor confidence, our panel of experts all agree – there's positive outcomes once you get past the initial fear.
It's Monday morning after a couple of heated NFL championship games. This means the pundits are pulling out all the stops with their Monday Morning Quarterback analysis. What does this have to do with the new SEC regulations? In short, timing and evidence.
The SEC is demanding precision, which means they get to play Monday Morning Quarterback with every security incident reported to them. As we've discussed in a previous article, what's determined as "material" is subjective, but what isn't is the responsibility to disclose and the timing in which to do so. The SEC will be there asking hard questions about what you knew and when, and then what you did about it.
During our AMA last week, the panel of experts covered several burning questions the security community has been asking since these new SEC regulations went into effect.
Watch the recorded session below or read on for a few notable takeaways.
On Disclosure: Incident Responsible
Having strong, well-documented incident response protocols isn't a new concept, but it's become heightened due to these regulations. This is naturally true for security teams, but it's also true for those outside the security department who may have never been involved. Increasing the transparency of security procedures for business stakeholders is generally a good thing.
The question still remains – who decides what is material? Our panel recommends forming a committee that spans security, risk, and legal representation, aligning on a shared language and mutually agreed definitions. It may still be necessary to designate a single individual to make the ultimate decision, such as the General Counsel or the CFO.
Security teams strive to connect their hard work to tangible business outcomes, which can be challenging. Security leaders are also accustomed to advocating for resources, but often only receive the necessary support when dealing with fire-fighting scenarios. The presence of such a looming figure in the SEC may just be the key to helping security teams advocate for proactive fire prevention.
On Materiality: Shift Counsel Left
One potential change to incident response procedures is involving legal counsel at an earlier stage than they may have been in the past. Instead of only seeking their advice about what to disclose after a retrospective, the recommendation is for counsel to be involved as soon as an incident is discovered.
Involving counsel early is critical for these reported incidents as they'll have a better understanding of what should be initially disclosed to meet the 4-day requirements of the SEC, and what to withhold as the incident continues to be formally investigated.
There's already enough pressure on security teams dealing with incident response – the pressure on communications is one that should be relieved by those who know how to strike the right balance.
On Liability: Know the Ledge
If the SEC investigating companies for securities fraud isn't new, and companies incorporating strong incident response procedures isn't new, what's the big deal with these regulations anyway? It's because there's a notable convergence of corporate responsibility and personal liability, but the lines can be blurry at times.
It's important to keep in mind that both your company's legal counsel and insurance plans are meant to safeguard the company. Nevertheless, as a company officer, you may have the right to request personal coverage. If this isn't an option, it may be beneficial to have your own legal representation available.
While knowing your personal liability is important, there's less need to be alarmed than it may appear. The SEC's enforcement is specifically focused on cases of significant misrepresentation, rather than just the occurrence of a security incident. If you are confident that your company's security policies and incident response procedures are as they are claimed to be, you can feel more at ease about your personal liability.
In Conclusion: In Tune and On Time
The greatest takeaway from our AMA session is that we can all expect security incidents to be scrutinized like financial records. As such, accuracy and timeliness are paramount.
Every company has security incidents, so there's less imminent danger in over-reporting as there is in under-reporting. Public markets have a short attention span when it comes to these happenings, but they're less forgiving with regulatory consequences that have financial or legal implications.
Stay diligent with good documentation, and know when is the right time to come forward. The silver lining of all of this may just be better procedures, heightened importance, and increased transparency.
.png)