The new SEC disclosure rule: what security leaders need to do next

SEC rules

Today’s columnist, John Morello of Gutsy, understands why many in the industry oppose the new SEC cybersecurity rules, but that doesn’t mean they still don’t have to find a way to comply. (Stock Photo, Getty Images)

A significant shift in how companies must comply with cybersecurity reporting and disclosure requirements means security leaders will begin 2024 reviewing the most efficient ways their organizations can comply with December 18th’s ruling.

Much attention has been paid to an 11th-hour shift in the final version which means companies no longer need to disclose any specific or technical information about their incident response, system or potential vulnerabilities if it could impede their ability to respond and remediate.

Just a few weeks prior to the change, Republicans in the House and Senate introduced Congressional Review Act (CRA) resolutions in an effort to reverse the ruling. They argued that the requirements are duplicative of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will effectively create more work on an already resource-constrained cybersecurity workforce.

Many in the industry agree, and also add that disclosing sensitive breach information publicly in such a short amount of time after a breach could create increased exposure and risk before it’s fixed.

And their caution makes sense. In November, a ransomware gang filed a “failure to report” complaint to the SEC against its own victim after a breach they committed. This unprecedented move was a daring new attempt to put a CISO’s personal liability at play in ransomware negotiations. It exposed the seams in the mandate and showed attackers can use it as an additional lever to pressure targets.

But is the push to scrap the mandate ultimately justified? It’s not that simple. There are two sides to every argument.

The contention this ruling created has been understandable given that these rules navigate the complexity of who are really the victims and responsible parties in attacks. While the responsibility of the offensive attacker is clear, “victims” of an attack are often not their direct target, but rather other parties whose data the target holds.

Disclosure policies ideally exist to offer awareness and transparency to those 2nd order impacts who otherwise may not even be aware their data has been compromised. Without some reporting requirements, the incentives for data custodians are to suppress information about attacks to preserve their corporate reputations and limit risk. By having clear disclosure requirements, these custodians have greater accountability to protect data and give 2nd order victims awareness and time to potentially take protective steps.

But at the same time, the details of the regulation are crucial: it's critical we all understand the very definition of an incident and what comprises the reporting threshold. Security organizations often manage many events per day that are often referred to as incidents, yet are often mundane and low risk. Without a clear boundary line for what comprises a reportable incident, organizations will struggle with compliance. Worse, the very awareness the reporting seeks to create will become diluted by a very low signal-to-noise ratio: if organizations constantly report every possible incident, it becomes effectively impossible for victims to determine which are actually important.

The big question: should we eradicate the rule or modify it?

Many will use the recent weaponization of the mandate to push for change. But blackmail has probably existed for as long as laws have. Simply because an attacker may try to use reporting requirements to increase their leverage and sense of urgency in victims does not mean that reporting itself is bad.

Indeed consider the alternative—it's possible the 2nd order victims whose data the attacker compromised would simply never know of the incident and thus not even have an opportunity to take protective steps.

Make the necessary modifications

Security leaders need to understand that it's no longer just security best practices, but now also federal legal liabilities that govern disclosure decisions and plans. While this accommodation offers some additional flexibility in the disclosure process, security leaders still must quickly make decisions as to how they can quickly shift from the traditionally slower and more static approach to governance, to the now required on-demand response to real-time data.

Start with an audit of existing security reporting processes. An updated playbook and corresponding trainings are just the beginning. Change management for security teams will increase the chances of any shifts in process sticking within the organization. Security teams need to understand how any protocol changes bring the organization into compliance as well as what the adjustments mean to their workflows as individuals and a security team.

For CISOs, embracing the reality of quarterly, or even weekly compliance reviews will go a long way towards compliance. The fastest way to incorporate such a shift requires deploying platforms which transparently and programmatically minimize manual intervention, deliver governance and oversight of security-specific processes and workflows, and transparently document each step.

The sooner process accountability and transparency becomes the lifeblood of an organization's security framework, the better prepared CISOs will be to manage future threats and the evolving rules designed to assuage them.

John Morello, chief technology officer, Gutsy