SEC Attack Disclosure Rules: From the Frying Pan to the Fire
Date:
March 26, 2024
Bob Zukis, CEO of Digital Directors Network, penned an interesting assessment of the recently enacted SEC rules requiring publicly traded companies to report “material” security events within four days.
Since the new rules went into effect in December 2023, some big logo companies have reported security events under the rules, including the liked of UnitedHealth Group, Microsoft, Hewlett Packard, Prudential Financial and Loan Depot, to name just a few.
But in the opinion of Zukis, the filings made thus far under the new rule set are “not compliant with the new SEC cybersecurity incident disclosure rules.”
Zukis notes that the SEC requires “a description of <sic> the material aspects of the nature, scope and timing of the incident... As the investigation proceeds, disclosure amendments are to be filed as further material information arises about the incident.”
“However, none of the first disclosures made under the new SEC disclosure rules includes descriptions of the material impacts or reasonably likely material impacts of the incident. However, companies by definition, must have an understanding of these, otherwise they would not have made the disclosure filing in the first place. And notably, what all of the disclosures also have in common is that they are all based exclusively on the qualitative impacts of the incident. None of them reference any quantitative impacts, i.e., revenue loss, earnings impact, costs to remediate, share value loss.”
“Are these failures to describe the material impacts, or reasonably likely material impacts of the incidents intentional? Are these filings initially a poorly executed legal compliance exercise for companies? Are companies rushing to disclose? Does it demonstrate a lack of understanding of the SEC rules? Is it a failure to understand or have an informed and deliberative process in place that identifies the far-reaching impacts of an incident?”
Takeaway: All important questions, and one must wonder if the authors of the SEC reporting rules actually have any understanding of the nature of incident response and forensic investigations.
With ill-informed regulatory requirements, company officers and Boards of Directors are going to find themselves increasingly in the crosshairs. We will likely soon see some victims of ransomware attacks prosecuted – especially if sensitive or regulated data was compromised or exfiltrated in the attack.
The government has failed to protect organizations from these relentless and disruptive onslaught of ransomware attacks, which makes them look ineffective, and the government does not like to look inept they know they have to do something.
So, they opt to re-victimize the victims of these attacks so they can pat themselves on the back and say they are doing something to address the ransomware problem. In reality, they are just making the fallout from these attacks worse for the victims.
Late last fall, the SEC announced enforcement actions against software services SolarWinds Corporation and the company’s chief information security officer, Timothy G. Brown, alleging fraud for internal control failures related to known security risks.
The complaint alleges that from the period following the company’s initial public offering through the December 2020 announcement that it was the victim of a two-year long cyberattack, SolarWinds and CISO Brown mislead investors by overstating the cybersecurity protections the company had in place and for not accurately disclosing known risks.
“In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time,” the SEC said in a statement.
Then you look at the legal actions taken against the former CISO for Uber and we are witnessing a significant sea change regarding where liability lands for security-related decisions.
But we need to be careful not to confuse disclosing information about a cyberattack with actually informing investors why an attack should be considered in their investment decisions.
Forensic investigations are difficult, and they take time – a lot of time. The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.
Leadership is now a position where they must either trickle out incomplete information over time as the investigation progresses and simply end up dying by a thousand cuts. Or worse, they find themselves facing regulatory actions for failure to adhere to SEC reporting rules that don’t line up with the reality of a post-attack incident response.
Remember what happened to Okta when they tried to be timely and transparent about a breach event? Their stock was hammered, and the CEO was unfairly criticized for how they handled the disclosures.
The inability to provide concrete answers immediately will create confusion and anxiety for investors and attempts to be forthright and transparent will result in escalating disclosures that give the appearance that the fallout is getting worse by the day when it’s just the natural course of a complicated investigation.
And while the C-Level and BoD are increasingly at risk of legal and regulatory actions, it is most likely the CISO or equivalent who is facing the most risk, as they traditionally get thrown under the bus following a successful attack.
Organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also have to face the threat of being re-victimized by an overzealous legal and regulatory landscape.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.