Nov 27, 2023

Charting a New Course: How the SEC has Changed the CISO Role

by admin

The new SEC reporting requirements and legal action make it clear: cybersecurity is material to modern business, and the Chief Information Security Officer (CISO) finally has a seat at the business table. This shift will represent significant opportunities for cybersecurity leaders willing to grab them and a “be careful what you wish for” moment for others.

We know what you’re thinking – “Another set of cybersecurity regulations, big deal.” Well, these new ones are huge. Why? Because of who they are built to protect – investors.

Another major change is the level of accountability and liability they place on the CISO.

This is not a federal mandate on privacy protection or rules for notification of affected customers; these are new regulations to ensure financial investors have accurate and timely information about the cybersecurity programs of public companies. Investors want to assess, as best as they can, how susceptible a company might be to a cyber attack, and how mature their program is — before a breach — rather than after a breach that drops the stock price, like Capital One (↓14%) or SolarWinds (↓ 39%).

These new regulations focus on two key areas: Disclosure of Cybersecurity Incidents and Disclosure of Risk Management, Strategy and Governance regarding Cybersecurity. They come with the legal power of the SEC behind them, an organization that has already shown it will pursue individual CISOs – even before these new regulations are fully in place. CISOs are finally getting a seat at the business table, but what does this mean in practice for CISOs? How does it change their reporting structure? How does it affect their need to understand broader business and risk operations, and their personal liability?

One thing is clear: there will be opportunities for cybersecurity leaders willing to step up and define what it now means to be a CISO. As Winston Churchill once said (or was it Uncle Ben’s heartfelt advice to Peter Parker if you are more of a Marvel fan), “Where there is great power, there is a great responsibility”

Before we dive into these changes and the implications for CISOs, let’s be clear on the SEC definitions regarding cybersecurity disclosure requirements and provide a little background on the 8-K, 10-Q, and 10-K SEC reports these new regulations relate to:

Registrant a term used in reference to any company that files documents with the Securities and Exchange Commission (SEC). The term applies to companies conducting initial public offerings (IPO) and companies that file periodic reports.
Information Systems means electronic information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
Cybersecurity Threat means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Cybersecurity Incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

- Form 8-K is known as a “Current Report,” and it is the report that companies must file with the SEC to announce major events that shareholders should know about. Companies generally have four business days to file a Form 8-K for an event that triggers the filing requirement. A publicly traded company files Form 8-K files after an unscheduled material event occurs.
- SEC Form 10-K is a comprehensive report filed annually by a publicly traded company about its financial performance that is required by the U.S. Securities and Exchange Commission (SEC). The report contains much more detail than a company’s annual report and is sent to its shareholders before an annual meeting to elect company directors.

SEC Form 10-Q is a comprehensive report of financial performance that must be submitted quarterly by all public companies

New Regulations Explained

All quotes referenced in this section are from Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.

The SEC has adopted new disclosure requirements for Current Reports (Form 8-K) regarding cybersecurity incidents. The SEC took these actions because they “remain convinced that investors need timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants’ businesses, and that the existing regulatory landscape is not yielding consistent and informative disclosure of cybersecurity incidents from registrants.”

Within four business days after materiality determination, registrants must now disclose “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”

What exactly does the SEC consider material impact? The SEC gives some guidance that financial condition and results of operations “is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. By way of illustration, harm to a company’s reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.”

Four days may seem short, but keep in mind that the filing requirement for most events instigating a Form 8-K is four business days. The SEC also provides for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings.

Disclosure of Risk management, Strategy, and Governance regarding Cybersecurity

The SEC has adopted new disclosure requirements for periodic reports (10-Q and 10-K) regarding the proactive side of managing cybersecurity risk. Registrants must disclose “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” Further, the disclosure must cover, at a minimum, the following:

Whether and how the described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes;
Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes;
Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

This is a starting list, in essence, as “registrants should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.”

CISO Implications

Is it really possible that a few new SEC regulations can be the tipping point for finally getting the CISO a seat at the business table and elevating cybersecurity to a true board-level priority? When you pair it with an SEC lawsuit personally naming a CISO before these regulations even go into full effect, then the answer is yes!

Here are some key questions for CISOs to consider as they navigate this increased leadership opportunity, legal scrutiny, and liability:

Materiality:

What decision process will be used to determine materiality?
What systems will be put in place to determine what matters to the business when it comes to vulnerabilities, threats, and incidents?
Are you able to map all security findings, context, and threat intel to critical assets and business operations?
What is the trail of evidence you will use to justify what is material and what is not?

Personal liability:

How will you balance proactive disclosure of potential risks with putting the company at further risk, jeopardizing investor confidence, or putting yourself at risk of personal liability?
Defending why an incident wasn’t material will be critical for protecting personal liability.

Executive relationships and reporting structure:

Should the CISO become more like a CFO in terms of a working relationship with the CEO and the board?
Will you push for the CISO role to report directly to the CEO? The time is now if so.
How will you broaden your purview into broader business risk management and disclosures?
The CISO role is not a corporate officer, yet now has exposure, like a signee of SEC disclosures. How will you handle that exposure?

Peer Benchmarking:

Is your company spending the appropriate amount on cybersecurity?
If your company is not investing, will that put you as risk as CISO given heightened disclosures and liability?
How does your vulnerability backlog and risk exposure compare to your peers?

What is the plan to move from security speak to Business Risk:

How will you become adept at communicating risk to the multiple audiences now required – security team, IT and cloud, application development teams, DevOps, executive team, board, and the financial community (SEC)?

Building stronger proactive security programs is key for CISOs facing this new level of scrutiny and accountability. At Brinqa, we believe the future of proactive security starts with a Risk Operations Center. A new approach that combines operational processes, risk-based vulnerability management, and clear business-level communication about cyber risk, elevating proactive security to equal importance as incident response.