Item 1.05 – Disclosing material cybersecurity incidents
This seems to be the most talked about aspect of the amendment. It requires “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”

There are 2 caveats to this if the disclosure poses a substantial risk to national security or if there’s a conflicting Federal requirement to report. On the latter, there is only 1 identified by the SEC and that’s for those under FCC regulations where a seven day reporting is required.

Each company will have to determine what is “material” to them. Most conversations I’ve seen center this on the financial team determining impact based on revenue or profit. The definition of material will ultimately be up to the registrant (the SEC’s term for the company).

The key here is that the 4 days is after the company determines that a cybersecurity incident is material. A company would need a detection and response capability, along with a level of forensics, to be able to properly discover, react, and then present the right information to the company decision makers on it’s materiality. You’d also need legal counsel to help make the right decisions on if this is an incident. An incident response plan (IRP) with clearly identified roles would enable this. Ideally, an IRP that’s been through a table top exercise (TTX).

This is a significant requirement being outlined here and one that has a number of capabilities to be able to meet. It’s not as simple as “being able to report in 4 days”.

Item 106 – Risk Management and Strategy
SEC is requiring a few items here and it’s slimmed down from the proposed rules.

In reality, if there’s no program in place this will be an easy section to write for public companies… “No processes in place for cybersecurity”. That’s not likely to happen, so what would be required in order to have a well written disclosure?

Without citing a specific standard or framework, this would mirror the expectations of a program built on NIST CSF or other modern control based frameworks. A company would need a cybersecurity program. One that starts with (and expects regular) risk assessment of the current state, establishing a target state, and crafting a roadmap to get from one to the next.

It’s basic and direct.

Conduct a risk assessment, use 3rd parties to validate results, and establish a set of policies and process in a program to be governed. The disclosures expected will require a level of detail on a company’s overall cybersecurity program, it’s governance, reporting, and maturation plans over time. Without an established program, it would be impossible to meet this requirement. It’s more than just proving written policies are documented.

The SEC is looking for an established cybersecurity program. And one that factors in the risks posed by the use of third parties.

Item 106 – Governance
This one backed off the cybersecurity expertise requirement of Board members (I think much to the chagrin of DDN and other’s posturing that CISOs would be scooped up to be board members solely because they’re CISOs). It does keep the board’s oversight of risk from cyber threats in place.

Here we’ll expect disclosures to outline how the Board hears about risk and on what cadence. The outline should include if there’s a CISO, how regular they present, what metrics are being reviewed, and how incidents are handled when brought to a Board level. A description of whether this is discussed at the full Board, the Audit committee, or even a smaller pairing of directors.

Here is the connector the two sections in Item 106. A well written disclosure, one that would give investors comfort in that public company’s ability to address cybersecurity, would include that cybersecurity is management’s responsibility and how it’s assessed then managed. Ideally, this has a named experienced CISO or reputable third-party vCISO provider in place. They are empowered with both the correct authority and the financial resources to implement a cybersecurity that’s worthy of publicly disclosing. Under the CISO, there is a program that is effective and looks to mirror NIST CSF (or other standards) in it’s ability to “monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents”.

I don’t see a lackluster or bare minimum cyber program being able to withstand investor scrutiny of this requirement.

#cisolife

Follow us -
Website - https://sidechannel.com
Podcast - https://anchor.fm/cisolife
LinkedIn -   / sidechannelsecurity  
Twitter / X -   / sidechannelsec