Three recent notable regulatory and legislative developments are significantly heightening expectations on cybersecurity disclosures and attestations.
- CISA Cyber Critical Infrastructure Incident Reporting. On March 15, President Biden signed into law an omnibus spending bill that incorporates the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Cyber Incident Reporting Act”), which requires covered critical infrastructure owners and operators to report covered cybersecurity incidents to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours, and ransomware payments within 24 hours, along with updates if substantial new or different information becomes available.
- SEC Cyber Incident and Risk Disclosures by Public Companies. On March 9, the U.S. Securities & Exchange Commission (SEC) released a Notice of Proposed Rulemaking (NPRM) on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rule, which would formalize and expand on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents, would require:
- Reporting about material cybersecurity incidents on SEC Form 8-K four business days after the registrant determines that it has experienced a material cybersecurity incident.
- Periodic disclosures regarding, among other things:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents
- Secure Software Development Practice Attestation by Federal Vendors. On March 7, the Office of Management and Budget (OMB), in accordance with Executive Order 14028 on “Improving the Nation’s Cybersecurity,” announced that Federal agencies must begin to adopt recent software security guidance promulgated by the U.S. National Institute of Standards and Technology (NIST), including by requiring vendor attestation to compliance with the new NIST guidance. More on this development can be found in our recent bulletin regarding heightened software security threat and regulatory pressures.
Why It Matters
Taken together, these developments occasion a significant expansion of disclosure of a company’s cybersecurity posture to external stakeholders.
Both the Cyber Incident Reporting legislation and the SEC Cybersecurity NPRM include common themes:
- Time-bound notifications. As noted above, both provisions require external notifications for specified incidents within a matter of days, although importantly the SEC NPRM notes that the triggering event is the date on which a company determines the cyber incident is material, rather than the date of discovery. The Cybersecurity Incident Reporting Act clock starts ticking at the time the covered entity “reasonably believed that the covered cyber incident has occurred.” Neither provision contemplates waivers from the deadlines in question.
- Defining significant incidents. Both provisions limit reporting obligations to significant incidents – that is, incidents that are “material,” in the case of the SEC NPRM, or “substantial cyber incidents” in the case of the Cyber Incident Reporting law. For SEC purposes, information is “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” The Cyber Incident Reporting Act lists a number of factors on what constitutes a “substantial cyber incident” including substantial loss of a system’s confidentiality, integrity or availability; serious impacts to safety and resiliency of operational systems; disruption of business; the sophistication of threat tactics; the number of individuals potentially affected; and related considerations.
- Updates. Both provisions also mandate updated disclosures as the nature of the incident is further understood.
- Third party risk. Both provisions require disclosures around certain aspects of third party risk from a company’s suppliers. In the case of the Cyber Incident Reporting Act, one of the factors that influences whether an incident is “substantial” is if the incident is facilitated through a supply chain compromise. For its part, the SEC NPRM would require disclosure concerning a registrant’s cyber risk management practices regarding the selection and oversight of third party entities.
That said, there are also key differences between the two:
- Scope of impacted organizations. Most obvious, the SEC NPRM applies to public companies whereas the Cyber Incident Reporting Act applies to critical infrastructure owners and operators. That said, a number of companies may fall into both categories.
- Dissemination of disclosures – public versus confidential. Whereas SEC disclosures are by nature public, Cyber Incident Reporting Act notifications stay confidential and are protected by basically the same suite of safeguards as originally included in the Cyber Information Sharing Act of 2015, to include preservation of attorney-client-privilege.
- Scope of disclosures – incident versus broader cyber program elements. Whereas the Cyber Incident Reporting Act applies to discrete incidents only, the SEC NPRM would (as noted above) require a series of additional disclosures around a company’s cybersecurity risk management program.
- Incident detail. The Cyber Incident Reporting Act mandates the sharing of incident-specific information, including threat actor tactics, techniques and procedures and related indicators and observables. This is valuable both for immediate damage assessments but also at an operational level and enabling more complete “sightings” of threat actor activity so that defenses can be prioritized. MITRE’s Center for Threat Informed Defense recently unveiled a sightings ecosystem project and dataset that offers an example of how sightings can help by giving defenders a picture of what threat techniques are used where and when.
- Board expertise. The SEC NPRM proposes to require very specific disclosures about the level of cybersecurity expertise on the Board, including prior work experience, certifications or degrees, and related knowledge, skills or other background in cybersecurity.
What to Do About It – Five Key Steps to Prepare
Each of these provisions requires engagements with the private sector before coming fully into effect.
- The SEC NPRM is subject to a 60-day comment period.
- The recently-enacted cyber incident reporting legislation requires CISA to issue an NPRM defining and articulating criteria for what counts as a “covered” incident and entity, all of which would be subject to a comment period.
While these new anticipated mandates are subject to further definition and modification, organizations should start planning now for how to comply with both provisions. Here are five steps companies can take to prepare for both mandates:
- Start by understanding your business profile and potential cyber impacts in business and financial terms – both for your own company and your customers. Organizations should document high value assets, or the key technology systems most important to operating and defending the business. This is foundational for categorizing incidents as “material” or “substantial” and also informs all other steps below.
- Implement a threat-informed defense, for example utilizing the MITRE ATT&CK framework, where likely threat tactics, techniques and procedures are identified and then mapped to threat-specific mitigations and detection data sources. A corollary step is implementing response-oriented engineering, whereby logging and correlation strategies are implemented to streamline the process for understanding and thereby containing incidents when they do occur. This speaks to the SEC expectation on undertaking “activities to prevent, detect, and minimize effects of cybersecurity incidents,”. This measure also ensures the availability of operational threat information for Cyber Incident Reporting Act purposes, and streamlines the process for providing incident updates as required in both mandates.
- Consider how effectiveness will be evaluated. The SEC expects characterizations of how cybersecurity risk will be monitored and measured, as well as how assessors, consultants and auditors are used to assess risk. Validating that cybersecurity measures are operationally effective in defending against likely threat activity is also key to ensuring accuracy of reporting required by both mandates.
- Review the company’s oversight framework both for management and the board. Doing so helps address the SEC NPRM expectation that “cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation”. Key issues referenced in the SEC NPRM include:
a. Whether a cybersecurity risk management program is in place and incorporates risk assessment; independent assessments and audits; third party service provider risk management policies and procedures; activities to prevent, detect and minimize effects of cyber incidents; business; business continuity, contingency, and recovery plans; consideration of how previous cybersecurity incidents informed changes in the registrant’s governance, policies and procedures, or technologies; as well as how cybersecurity related risks and incidents may affect the registrant’s strategy, business model, results of operations, or financial condition;
b. Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
c. The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic;
d. Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight;
e. Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
f. The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
g. Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
h. Whether the company has a designated chief information security officer, and if so, to whom that individual reports, and the relevant expertise of any such person;
i. Whether there is cybersecurity expertise on the board (considering the criteria described above).
- Ensure the company exercises its processes for responding to a cybersecurity incident. Doing so validates that management and boards understand their responsibilities in a crisis, and thereby ensures that SEC and Cyber Incident Reporting Act disclosures and updates will be timely and accurate.
The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact email@example.com for more information.