SEC to Enterprises: “Account for Cybersecurity in Dollars and Sense.”
On October 13 the Securities and Exchange Commission (SEC) released CF Disclosure Guidance: Topic No. 2. This document establishes requirements for public companies to account for the cost of cybersecurity incidents and defenses, as well as to disclose their cyber risk mitigation plans to investors.
This sets the stage for a scene where a public company loses in court, a judge ruling their cyber risk mitigation plan not reflective of diligent best practices.
How this reflects into actions by enterprises will tell whether this matters or not, of course. But putting the question explicitly into the class-actionable hands of investors could focus many organizations on a topic they can relate directly to:
“When you are standing in court, do you really expect the jury to believe you have done enough?”
From the document:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.
That a reasonable investor would consider important. Like, “What have you done to keep hackers from disabling your global game network/energy generation/shipping operation?” It would be encouraging to see investors requiring that answer in writing. Most importantly to align the people who would do the work if they could, with the resources they need.
The next bit ties cyber disclosure requirements to existing disclosure processes, which is rather tidy:
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
IOW: “It doesn’t matter if your capital equipment has a mean time between failure of twenty years, if you give it an open Internet connection you will have to capitalize the risk as if it will be dead in a week.”
The next section talks about Risk measurement.
“…we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”
Prior history in IT security will provide a lot of fodder in that realm to plot severity and frequency curves. Recent ICS vulnerability trends, Stuxnet and other related news should be enough that a reasonable investor could be assumed to ask how the curves in that part of the business are kept from getting all spiky, too.
“…consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
As investors and enterprises unwind that one, the risk of low-likelihood high-impact incidents may in some cases turn out to more than justify the cost of remediation.
“…consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”
In the context of the industry in which they operate.
Energy, banking, transportation.
The rest of the document then goes on to describe the general detail of disclosure content, legal process and financial reporting. But at the end, there is this nugget:
“To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. For example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.”
Security isn’t much without knowing what just happened, so that sounds a lot like secure logging.
Some of the wording seems to indicate that the authors were at perhaps not deeply aware of the state of ICS cybersecurity, but aware enough to focus on “operational” and financial terms which would include both.
There could be hope that this kind of guidance from those who hold the Big Purse Strings will have a positive effect on security efforts. Compliance with a given regime such as PCI or NERC CIP by itself would not necessarily satisfy a reasonable investor with more than a passing familiarity with cybersecurity.
Chris Blask authored the first book on SIEM, "Security Information and Event Management Implementation", published by McGraw Hill. Today he is Vice President of Industrial Control Systems Group at AlienVault, the producer of the world's most popular SIEM technology, and is on faculty at the Institute for Applied Network Security (IANS).