The SEC cybersecurity disclosure rules that went into effect in December 2023 were clarified in June 2024. The guidelines require public companies to report “material” breaches within four business days of the materiality determination and document their processes “for assessing, identifying, and managing material risks from cybersecurity threats” in annual filings.
In this article, I’ll describe the new challenges these guidelines present for your CISO and some tips on how to think about handling them.
The first CISO position, filled by Steve Katz, was born out of a sizeable financial theft involving fraudulent transfers facilitated by digital systems. Sadly, Steve Katz passed away in December. His contributions to the industry are too numerous to recount here. Still, one quote attributed to him stands out: “If I had my way, the modern title would be chief information risk officer, rather than chief information security officer. Cybersecurity is a tool for managing business risk.”
Back in the ‘90s, it made sense that security efforts would focus on keeping attackers out of financial systems—that’s where the biggest cyber-related business risks were. Today, unauthorized transfers are just one of many cyber risks. CISOs also worry about keeping critical systems running. Most of all, they worry about data.
Money can be recovered or written off. Critical systems can go offline and cause significant short-term disruption, but they can be restored. Data can’t be unbreached.
Cyber business risk is information risk
Cyberspace is an active battlefront where businesses are often caught in the crosshairs. Information assets are under constant attack by sophisticated commercial and state-sponsored actors. These assets are easy for commercial attackers to monetize via cryptocurrency.
Information assets also continue to get harder to protect. They’re not always well-organized or routinely audited. When they get stolen, it’s often not obvious, making it harder to determine whether a data breach was material.
Data breaches can change the course of human history, as we saw with Snowden and WikiLeaks. Because data breaches can easily become significant events in a company’s history, public companies now have new guidelines to handle them.
New guidelines make CISOs accountable
Charges brought against CISOs from SolarWinds and Uber create a precedent that individuals can be held accountable for cyber incidents. CISOs used to worry about losing their jobs if they had to report a breach. Now, they, along with other executives, have to worry about their personal liability (and even jail) if they don’t report one. And they have only four days to do so.
The four-day window is especially tight, given the challenges businesses have in assessing a breach and determining materiality. Sixty-eight percent of CISOs believe they are not ready to comply with the disclosure timeline.
This is a big change for CISOs. Information security requires a lot of technical background and systemic thinking. Now, CISOs must overlay technical and information context with business context to determine materiality, and overlay materiality with legal ramifications. It’s like they need to be the CISO, CFO and head of legal all at the same time.
The possible legal consequences and the difficulty of determining materiality would naturally incentivize some CISOs to report cyber incidents whether or not they had been deemed “material.” Not surprisingly, in June 2024, the SEC clarified the guidelines to avoid investor confusion that would come with overreporting.
The clarification states that Item 1.05 in Form 8-K should be reserved for “material cybersecurity incidents.” Companies may continue to voluntarily report cyber incidents that are immaterial or “that have not yet been determined to be material” in a different item of their filing.
The new guidance allows companies to play it safe concerning transparency while preserving the spirit of the original guidelines, but they still add pressure to an already pressure-filled job. If CISOs must carry so much responsibility and add the weight of personal liability, they will need more authority, a bigger presence at board meetings and probably more insurance.
The materiality question
Breaches continue to occur despite excellent endpoint and perimeter controls, and almost every business of any size has them. They’re clearly not enough to protect data by themselves. Worse, when a compromise happens, businesses must hire expensive incident response services to understand what happened and determine materiality.
To determine materiality, today's most important question is: “Was any sensitive or regulated data stolen and/or lost?” Unfortunately, this question is harder to answer than most executives, boards—and even expensive incident response services—realize.
Though businesses keep ledgers for bank accounts, they frequently don’t keep them for their information banks: the servers, databases and cloud applications that store sensitive data. Without a ledger of what data has or hasn’t been accessed during an incident, CISOs are often forced to assume the worst. Data ledgers are not always part of a company’s IT and security budget today, so CISOs must have the authority to change this. If there’s critical data somewhere, they won’t be able to determine materiality without a ledger.
The new guidelines also require businesses to disclose their processes to continually assess, prioritize and mitigate information risks. When it comes to materiality and information risks, many organizations are unprepared.
Where is the critical data in the first place? Many executives will be surprised to learn how hard it is to assess the many “information banks” they have among their data centers and cloud resources. If CISOs can’t confirm they know where critical data is stored and that it’s properly protected, the potential liability could be endless. CISOs will need the authority and means to continually assess their data estate.
In the short term, CISOs must work more closely with executives to identify visibility gaps and define processes for determining materiality. Their shared responsibility to protect vast amounts of data, comply with regulations and stay within budget means they will need to work closely with the head of legal and the CFO.
Once they’ve identified their risks, CISOs must have enough authority to address them. Otherwise, liabilities and insurance premiums may incentivize CISOs—and possibly your CISO—to leave for a safer job.
This article originally appeared on Forbes.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
