“We regret that sufficient protections were not in place to prevent this cyber-attack.”
Those were the words of Shaun McNally, chief executive of the Electoral Commission in the UK, speaking about a cyber-attack that saw the data of 40 million voters exposed and undetected for over a year, and the public was not told for another 10 months.
It’s gobsmacking that it’s still not uncommon to hear senior executives concede that their organisations did not have sufficient protections in place to defend against a cyber-attack. And perhaps even more concerning is the lack of transparency for stakeholders when an incident does inevitably occur.
It’s the motivation behind new rules from the SEC in the United States that require publicly-listed companies to inform investors when they’ve suffered a data breach within four days.
Introduced on the 26th of July by the Securities and Exchange Commission, the new rules require ‘registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.’
SEC Chair, Gary Gensler said in the press release “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.
Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
In most circumstances, within four business days, the new rules require registrants to:
- Disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material.
- To describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- The disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
The rules also require registrants to describe:
- Their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, and
- The material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
And that registrants outline:
- The board of directors’ oversight of risks from cybersecurity threats, and
- Management’s role and expertise in assessing and managing material risks from cybersecurity threats.
- These disclosures are required in the company’s annual report.
PwC says, “This gives your organization approximately five months to confirm your compliance plans before the new disclosure requirements take effect in mid-December. The revisions from the proposed rule have streamlined the disclosure requirements in many ways…
Still, disclosure can seem a daunting prospect if your company’s cybersecurity program won’t withstand investor scrutiny. Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires…
The disclosure requirements aim to protect investors from the harms that a cybersecurity breach could cause. As the number, severity, and stakes of cybersecurity incidents continue to rise, investors are demanding transparency from the companies in which they’ve placed their resources and trust.
With this new rule, the SEC puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks.
We see the rule as a call to action, challenging enterprises to be ready to expand their disclosures regarding their cyber risk management, strategy, and governance processes.”
Adding that the “Requirement for transparency into cyber practices and incidents has shifted from statutory to actionable, from inconsistent and incomplete to “decision-useful.””
Likewise, Deloitte observes that “The final rule addresses concerns over investor access to timely and consistent information related to cybersecurity as a result of the widespread use of digital technologies and artificial intelligence, the shift to hybrid work environments, the rise in the use of crypto assets, and the increase in illicit profits from ransomware and stolen data, all of which continue to escalate cybersecurity risk and its related cost to registrants and investors.”
And Foley & Lardner LLP offer the following as recommended actions:
- ‘Registrants should evaluate their cyber incident reporting disclosure controls and procedures to ensure information is elevated to management in a timely manner and appropriate materiality determinations are made in light of the four business day requirement to file an Item 1.05 Form 8-K.
- Registrants should review and test their cybersecurity incident response plans to ensure incidents are appropriately reported throughout the organization. These plans should be regularly reviewed and tested through mock tabletop exercises to ensure a timely and adequate response. With the new disclosure requirements, it is important that testing include management to ensure the ability of the organization to meet its increased disclosure obligations in connection with cybersecurity incidents. Further, registrants should delineate the personnel/team responsible for determining whether a cybersecurity incident is material as well as their specific decision-making and documentation processes.
- Boards should still be cognizant of which directors have expertise or experience with cybersecurity and which committees or subcommittees, if any, are responsible, or should be responsible, for providing oversight with respect to cybersecurity matters and amend governance documents accordingly. Additionally, though the final SEC rules do not require disclosure of individual director expertise with cybersecurity, we expect many companies will continue to make or add this disclosure in connection with director skills matrices.
- Registrants should work to identify, if not already clear under current company policies and procedures, specifically who is responsible for monitoring risks from cybersecurity threats and understanding how these processes will now be disclosed, how cybersecurity risks are identified, and how cybersecurity incidents are discovered, mitigated, and remedied. There will be increased pressure for registrants to develop comprehensive, risk-based cybersecurity management programs to monitor the evolving risks to their companies. Such programs should include, as appropriate, completing a data map of information and systems, determining applicable cybersecurity frameworks, conducting risk assessment and pen tests, implementing reasonable security measures, having contractual protections (including to help ensure there are processes in place to oversee and identify third-party service provider risk), evaluating cyber insurance options, implementing workforce training, and conducting mock tabletop exercises, among other programs depending upon the registrant’s industry and specific cybersecurity risks.
- Registrants should determine and document the assessors, consultants, auditors, and other third parties assisting them with their cybersecurity programs, especially the third parties that will assist with incident response, including IT forensics, public relations, ransom negotiation, disaster recovery, and law firm experts.’
The new SEC rules are designed to improve breach disclosure, to ensure more consistency of reporting, increase transparency, and to elevate oversight and engagement from senior leadership, raising questions about whether other markets like Australia should follow suit.
What are your thoughts, and are your customers prepared if similar requirements are imposed upon them?
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your customers today to ensure they’re prepared, and get in touch with our team to discuss strengthening your customer’s Microsoft 365 security.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
