In an era of increased transparency, determining how much cybersecurity data to disclose to the SEC is tough. One key question: which attacks are ‘material’?
By Russ Banham
Like other CIOs, Jeff Nimeroff diligently pored over the cybersecurity disclosure proposal released by the Securities and Exchange Commission (SEC) on March 9 with some uneasiness. The proposed rules seek to enhance and standardize the disclosure of a public company’s cyber risk management, strategy, governance and incident reporting. The issue for Nimeroff and other CIOs is determining how much to publicly disclose, given the obvious value of this information to hackers.
“One of the cyber risk management tenets we subscribe to is `security through obscurity,’” said Nimeroff, CIO at public company Zeta Global, a cloud-based marketing technology company with $458 million in 2021 revenue and 1,400 employees globally. “I don’t like to talk much about specifics, other than to say it’s my 24/7 job to make sure our cybersecurity is vigilant and complete.”
If the SEC issues a final ruling that looks much like the current proposal, obscurity will bend to the need to give investors the insights they have long sought into a public company’s preparedness to intercept a cyberattack and avert the business impact. Indeed, no investor wants to be caught flat-footed having parked capital in a company brought to its knees by a ransomware attack broadcast across the world. “Cybersecurity incidents and other risks are considered one of the largest threats to companies,” states the proposal by the SEC, whose job is to protect investors.
These risks have increased for several reasons, including the increasing digitalization of business operations, the growing prevalence of remote work, increasing reliance on IT third party providers offering cloud computing and other services, and the enhanced ability of cyber criminals to monetize cybersecurity incidents like ransomware using hard-to-track cryptocurrencies, the SEC noted.
In addition to proposing that public companies disclose a material cyber incident within four business days, an incredibly complex determination, the SEC further recommends they disclose the procedures used to identify and manage cybersecurity risks—akin to asking a safecracker to turn over the tools and techniques used to open a safe to other would-be safecrackers. “The challenge is deciding how much cybersecurity information is too much or too little,” said Chandrasekar Venkataraman, director of risk advisory services at audit and advisory firm Kaufman Rossin. “Registrants could either under-report or over-report.”
In each case, the outcome is not good. “If you under-report your cybersecurity risks to investors, you could end up giving them enough room to pursue a plaintiff litigation scenario,” Venkataraman said. “And if you over-report, you could end up exposing your cyber vulnerabilities to rogue actors, possibly resulting in additional and more severe cyber incidents to the detriment of the company and its investors.”
The 129-page SEC proposal, formally called the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure proposed rule, can be distilled into four key compliance requirements for CIOs and/or CISOs. They include the disclosure of a cyber incident within four business days of the triggering event (if determined to be material to investors); regular updates to these disclosed events; the risk management programs and strategies for addressing cybersecurity risks; and the roles of management and board members in terms of risk assessment, management, governance and oversight.
These disclosures are needed to protect investors. In a statement announcing the release of the proposal in March, SEC Chair Gary Gensler called cybersecurity an “emerging risk … with significant financial, operational, legal, and reputational impacts. … Investors want to know more about how issuers are managing those growing risks.”
While many public companies already provide cybersecurity disclosures to investors, Gensler said the proposed rules would ensure that cyber risks are reported in a “consistent, comparable and decision-useful manner (for investors).”
In the public comment period that followed the release of the proposal, many comments by senior corporate executives focused on the inherent difficulties of determining the materiality of a cyber incident, especially within four business days of its discovery. Although the word “material” appears 161 times in the proposal, the SEC leaves it up to businesses to discern whether a specific type of cyberattack would be considered material enough to affect a reasonable shareholder’s decision-making.
It is not unusual for a public company’s network and systems to incur hundreds if not thousands of cyberattacks on an annual basis, the lion’s share unable to penetrate corporate IT networks and systems. These events are likely not material. But what about an attack that breaches a system and is quickly stamped out? “Rogue actors are banging away on the steel doors all day long [trying] to get into the computer system, but only a few get through,” said Venkatarama. “Is it `material’ to report just the ones that get through or every incident?”
Establishing materiality in a mere four business days is a complicated and time-consuming matter, Ernst & Young stated in its public comments. “To determine whether a cybersecurity incident is material, registrants would need to evaluate the total mix of information, taking into consideration all relevant facts and circumstances of the incident, including both quantitative and qualitative factors,” the audit and advisory firm commented. “We do not believe that setting a deadline to perform a materiality assessment is necessary.”
“The response timeframe is very tight,” agreed Edward McNicholas, co-leader of law firm Ropes & Gray’s data, privacy and cybersecurity practice. “In a complex attack, even if you have a good incident response program with legal and other advisors lined up and ready to go, it may take some time to get reliable information on the cause and effect.”
Since rogue actors are constantly pursuing ever more novel ways of perpetrating a cyberattack, IT security leaders will have their hands full determining these causes and effects. In the past, a company might disclose to investors that it was targeted by several different types of attacks, without offering much specificity; in the future, it would need to disclose the specifics of each incident.
“The days of framing cybersecurity risks as hypothetical risks in a public company’s SEC filings are over,” said McNicholas. “If there is an intrusion and it is deemed material, you’d have to report it as such, assuming the present proposal became the final one. This is a crucial distinction, as it impels companies to err on the side of over-disclosure.”
Requiring companies to publicly disclose the intrusion and related cyber defenses could provide hackers with new information on how to launch other attacks. He provided the example of business email compromise, a type of spear phishing attack. “The company would need to disclose this (information) in four business days; unless (the incident is) remediated in that timeframe, it could telegraph to hackers a potential opportunity to attack the organization with another business email compromise attack,” McNicholas said.
Walking the Line
To walk the line between under-reporting and over-reporting material cyber incidents, cyber defense and other risk management procedures, tech leaders like Carlos Fuentes are updating their cybersecurity playbooks. “We’re breaking every incident up into routine and non-routine events and categorizing them as such,” said Fuentes, CISO at public company Pega, a provider of software for customer relationship management and business process management, with $1.2 billion in 2021 revenue and 6,200 employees across 41 locations across much of the world.
Non-routine incidents like a ransomware event would be considered material and should be disclosed. “If we have a body of work involving many people putting in effort to contain an incident, that’s something any reasonable investor would want to know about,” Fuentes said.
Nevertheless, there are nuances to be considered. “Sometimes if there is a significant cyber incident, law enforcement will get involved in an active investigation and not allow the company to report what occurred,” he said. That’s a problem for a global company operating in multiple jurisdictions. “If the event occurred in India and law authorities in the country require you to keep the attack under wraps, do you or do you not disclose it to the SEC for dissemination to investors? In such cases, it makes sense to bring in outside counsel for advice.”
Regarding the disclosure of information on Pega’s cyber risk management procedures, Fuentes said it is not as complicated as it may seem. “We’re already providing risk exposure information to cyber insurers through our insurance broker,” he said. “Each year as the (insurance) policies come up for renewal, the insurers send us a list of the 10 new things we need to do to renew the insurance. Those become our new risk mitigants.”
Fuentes explained that cyber insurers have amassed an enormous data repository on the newness, severity and frequency of different types of cyberattacks. “Ten years ago, the big mitigant was antivirus software; today’s it’s endpoint security,” he said. “Based on their policyholders’ claims data, insurers are able to see the cracks, crucial information in determining how to patch them.”
CIO Nimeroff at Zeta Global also feels he has a good handle on the situation, having secured the cloud-based marketing tech company’s environment from a people, process and technology perspective, he said.
“We’ve instrumented the organization to look for and aggregate signals in the security sense, gathering the information that will lever up to provide the disclosures the SEC is seeking,” Nimeroff said. “Each risk is tracked and assessed in real time insofar as its impact, documented from both a technical and nontechnical standpoint and then reported to our technical auditors, as we do ISO, SOC and SOX audits. We’re already presenting this information in a forum that is highly regulated and highly scrutinized. I believe this sets us up well enough to address the disclosure requirements.”
Nevertheless, he agreed with the other interviewees that determining materiality is a tough nut to crack. “A single incident may not rise to a level of materiality but when taken in the aggregate may in fact be material, sort of `damage by a thousand cuts,’” he said, explaining that an unrelenting series of cyberattacks may suggest some sort of inherent vulnerability. “It might behoove the company to not under-report these instances,” the CIO said.
Too little, too late is never a good option.
Russ Banham is a Pulitzer Prize-nominated business journalist and best-selling author.