Confusion over when and how to report cybersecurity breaches continues to plague companies a year after revised US Securities and Exchange Commission (SEC) rules went into effect, experts say.
As the agency that regulates and enforces US federal security laws continues to flex its enforcement muscles against organizations that break strict rules, imposing stricter reporting deadlines for the disclosure of cybersecurity incidents, CISOs and other senior executives are under increasing pressure to investigate quickly. and reporting breaches deemed significant – a challenging determination given its complexity.
Companies run into trouble with the SEC if disclosures are not forthcoming or timely enough, according to Joe Shusko, a partner in global actuary firm Baker Tilly’s cybersecurity practice. Therefore, they find it necessary to develop new strategies to maintain compliance, the meaning and application of which is not always clear and varies depending on the circumstances.
“The determination of material is not straightforward and should not be done in isolation – senior security personnel should work with business colleagues, legal counsel, and foreign intelligence as part of a disclosure committee,” Shusko told CSO.
The use of the SEC does not decrease
The SEC has taken more than 200 enforcement actions since gaining the authority to do so in 2015, with a quarter of those involving cyber security incidents. A growing list of lawsuits has been filed against companies deemed to have misled investors about events they consider important to stakeholders.
In December 2024, they filed charges of “making misleading statements about a cybersecurity attack on the Flagstar network in late 2021” also known as the Citrix Bleed for $3.55 million. The SEC found that although the company reported the breach, it failed to disclose that sensitive customer data of approximately 1.5 million people had been exposed.
A few months earlier, the SEC fined four companies $7 million for “misleading cyber disclosures” related to the SolarWinds hack. The quartet – Avaya, Check Point, Mimecast, and Unisys – were guilty of misleading disclosures about the impact of 2020 software breaches on their individual businesses that left investors and other stakeholders in the dark.
The four tech companies each agreed to settle the dispute over their disclosures by paying fines but without admitting wrongdoing. Unisys, which was also charged with security breaches, agreed to pay a fine of $4 million while other vendors received about $1 million.
CISOs still face the fear of uncertainty
Former Uber CSO Joe Sullivan, a security expert convicted of obstructing the reporting of Uber’s 2016 privacy breach, argues that despite the increasing number of enforcement examples, there is still much uncertainty about how companies can achieve compliance.
“There’s a lot of fear out there right now because there’s no clarity,” Sullivan told CSO. “The government controls through enforcement measures, and we get incomplete information about each case, which leads to a lot of speculation.”
Based on its history, the SEC may issue clearer and more detailed guidance on disclosure rules in the future, Shusko said. However, it is unlikely to allow organizations that violate the rules or pending future clarifications.
The SEC did not immediately respond to CSO’s questions about whether additional guidance regarding its revised reporting rules was on the way. While the incoming Trump administration has promised to loosen business regulations in general, whether cyber incident disclosure rules might be changed — very little if — remains unclear.
Companies should err on the side of transparency
As things stand, CISOs and their colleagues must plan a foolproof course of action to meet reporting requirements in the event of a cyber security incident or breach, Shusko said. That means anticipating the need to address reporting requirements by making compliance arrangements part of any incident response plan, Shusko said.
If they must disclose a cyber incident, companies should try to be timely in order to avoid releasing information that may point to unresolved security flaws that future attackers may be able to exploit.
“Organizations should err on the side of transparency,” Shusko said.
Edwards continued: “Get the processes in place, including knowing where to get the form to submit to the SEC and perhaps pre-filling it with as much information as possible. Then, when the unthinkable happens, there is less chance of panicking and making mistakes.”
Recent fines have also created the basis for the SEC to take enforcement actions against other non-compliant entities – although the SEC’s disclosure rules are primarily aimed at publicly traded companies a much larger range of entities may feel their effects.
Considering that disclosure specifications are not always straightforward, there is no substitute for real preparedness, and that makes it important to practice situations that may require disclosure with tablets and other tests, according to Simon Edwards, senior manager of security testing firm SE Labs. . “Speaking as someone who has invested a lot in my company’s security, I can say that the most obvious and important thing a CISO can do is play a role in an incident.”
The company’s supply chains can also be affected by the reporting of violations
“The disclosure rules are aimed at publicly traded entities, but that doesn’t mean that non-publicly traded entities are excluded,” Shusko said. “Government companies will likely expect their business partners to disclose and communicate any cyber attacks that may impact their organizations and therefore their customers. Organizations need to understand their supply chains.”
Baker Tilly’s advice on how companies can reduce their critical IT compliance risks and meet the SEC’s cyber disclosure rules can be found here.
Open to interpretation disclosure laws mean that some companies will feel compelled to disclose less important security incidents. For example, Shusko says, even though the recent cyberattack against American Water did not have a noticeable impact on the organization, it still discloses the attack to keep its stakeholders informed.
“There is a lack of clarity about where enforcement actions can begin,” Sullivan said.
Senior security professionals and their colleagues face a particular challenge in determining whether a security incident is serious, and therefore something they are forced to disclose, or something more serious that can be handled in-house.
“[There’s] confusion about what meets the ‘material’ threshold — companies are all over the place in their disclosures, and the guidance from the SEC was very confusing,” Sullivan said.
Source link