Q&A with Roya Gordon, Hexagon Executive Industry Consultant
We recently saw some new guidance from the U.S. Securities and Exchange Commission around the disclosure of cyber events and cyber protections. Tell us a little bit about what the SEC rules require.
On July 26, 2023, the SEC published guidance requiring publicly traded companies and foreign private investors to report the following:
Annually: “Disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”1
Four business days: Disclose cyber security incidents four business days after it has been determined that the incident had a “material impact.”
24 hours: Report ransomware payments within 24 hours.
What are some important considerations for companies’ cyber strategies as they think through and come into compliance with this rule?
According to the SEC, the term “material” is defined as a matter that has “substantial likelihood that a reasonable person would consider it important.”2 This term has been used in existing SEC reporting requirements, where companies are required to report on anything that could impact an investment decision (Mergers & Acquisitions, divestitures, bankruptcy, lawsuits, etc).
The term “material”, as it pertains to cyber incidents has not been clearly defined by the SEC, leaving individual companies to define and determine if cyber incidents would be “material” and need to be reported.
Additionally, it can be challenging for operational (OT) companies to report on cyber incidents four days after it has been determined to have a “material” impact because the impact may not be realized until weeks, months, or even a year after the initial attack.
For example, Clorox recently disclosed a cyber incident and has had to file a number of notices to investors as the company uncovers the extent of the cyber event.
Does this change how companies plan their cyber strategies?
This regulation might come as surprise to the public but, according to the SEC, companies have already been disclosing material cyber incidents to investors. Prior to this amendment:
1. Reporting was optional, and
2. There was no set time on when to report an incident.
This new regulation establishes a more formal process, ensuring that all organizations are reporting incidents to the same degree and within the same window of time to have uniformity across the board.
Specifically for OT cybersecurity, are there unique considerations that companies need to consider?
Investors want to know that organizations have a low cyber risk profile and are reducing their cyber risks so they can make more informed investment decisions. For example, an investor may have investments in a company forecasted to increase in revenue but may reconsider if that company has a series of cyber incidents that could not only have a financial but a physical impact to the organization. There are several examples of cyber incidents costing organizations millions of dollars in either ransom payment 3, replacing assets 4 or reputational damage. 5
Being that cyber-attacks on companies with OT assets can cause cyber-physical effects (shutting down of a physical process directly tied to revenue), organizations must reduce their susceptibility to attacks having a “material” effect on their business.
With growing regulation and disclosures around cyber incidents and defenses, how do companies need to incorporate existing and future regulatory requirements?
While the US government has enhanced their public + private relationships throughout the years, there is significant room for improvement when it comes to inter-agency relationships. Each regulatory entity has their own requirements for reporting cyber incidents, which could result in organizations experiencing “reporting fatigue.” Some regulations are specific to industries, such as Utilities, O&G, Rail, Airports, etc. while other regulations, including the new SEC guidelines, span across all industries.
Therefore, in order to stay on top of cyber incident reporting, as well as regulatory changes, an organization should appoint an individual (or a team) to be the sole point of contact for reporting cyber incidents to the varying entities.
This regulation in particular should be on the high-priority reporting list, as it could directly affect the financial success of a company. SEC Commissioner Jaime Lizarraga stated the new regulation “will reduce the risk of adverse selection and the potential mispricing of a company.”6 With the rise in ransomware, and overall cyber incidents, this new SEC regulation could result in cyber incidents indirectly influencing the stock market.
How can Hexagon help organizations report on their cybersecurity risk management, strategy, and governance to meet the SEC’s new guidance?
Cybersecurity is all about risk reduction and minimizing the material impact of an incident. A good cyber risk strategy should focus on 1. reducing the likelihood or probability of an attack and 2. reducing the consequence or impact of an attack.
Although there may be ambiguity in the SEC’s terms and reporting timelines, there are ways in which organizations can reduce their cyber risks and overall material impact:
Cyber hygiene: Cyber hygiene is key to having a strong security culture within an organization. This includes:
Training employees on how to identify spear phishing emails and Business Email Compromise (BEC) and avoiding malicious links that could be loaded with malware, ransomware, or lead to other system compromise.
Having strong password policies to ensure passwords are difficult to crack and that they are changed frequently in case employee credentials were stolen in data breach and sold on the dark web.
Using Multi Factor Authentication (MFA) to confirm identity for account access.
Implementing privileged access management (PAM) to prevent threat actors from escalating their privileges once in the network.
Implementing network segmentation to contain a threat, reducing their lateral movement throughout the corporate network.
Asset Inventory: An asset inventory is a comprehensive record of an organization’s hardware, software, and data assets. It provides detailed information about the assets such as the vendor name, version number, configuration, and other relevant attributes. Maintaining an accurate and up-to-date asset inventory is essential to securing cyber assets and reducing cyber risks.
Vulnerability Management: Vulnerability Management is a process that involves identifying, evaluating, prioritizing, and mitigating vulnerabilities in a system, network, or software. Patching critical assets reduces the chances of malicious access that could result in a cyber-attack of material impact.
Backup & Recovery: It’s important to create copies of data and store them in a separate location where it can be retrieved in recovery efforts. In cases of ransomware, or even wiper malware, having strong and reliable back ups is essential to reducing downtime (resulting in loss of revenue) and ensuring the plant is up and running to as close to operational efficiency as possible.
Implementing the above recommendations will aid in the annual reporting of cybersecurity risk management, strategy, and governance the SEC is requiring, while also giving the confidence investors need when considering their financial interests.