SEC BOD Guidance for CISOs

It’s now been a year since the SEC published its InfoSec (Materiality) reporting requirements…

WHAT THE SEC IS REALLY TELLING (ALL) CISO’S THEY SHOULD BE DOING…

Now before you dismiss this blog because your organization is not a public company and therefore this new guidance legally does not apply to you, you should still pay attention for five reasons:

1. The SEC guidance has two components: materiality reporting and Board of Director (BOD) involvement.
2. While most (if not all) of the InfoSec media has been focusing on the materiality reporting component, it’s the BOD oversight requirement that should be “front and center” for all CISO’s.
3. The standard of due diligence for CISO’s is constantly evolving and this BOD guidance has raised the bar for both CISO’s and their Board of Directors.
4. It is rumored that various states are also looking at similar legislation as they strive to hold companies responsible for protecting the information of their residents.
5. None of this is either new or solely in the domain of publicly traded companies.

This blog is going to discuss the SEC guidance and why neither of these requirements are “new”, nor exclusively for public companies, how organizations are currently describing their BOD InfoSec involvement in their annual reports (including during incidents), and how CISO’s can leverage this opportunity to improve their overall InfoSec “consciousness” to be more business focused and ultimately more effective at mitigating their organization’s material risks.

The SEC Guidance¹:

“SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

FOR IMMEDIATE RELEASE 2023-139

Washington D.C., July 26, 2023

The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.”

How this is manifesting in Section 1.C Cybersecurity of recent Annual Reports:

Below is a redacted extract from a random Annual Report:

Governance

The Board, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that the Company’s management implements to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. On a regular basis, the Board and the Audit Committee discuss the Company’s approach to cybersecurity risk management with the Company’s cyber team and senior leadership team.

BOD reporting has always been a requirement depending on the severity (i.e., “materiality”) of the incident. During TTX’s with my clients, active BOD involvement is commonly discussed with regards to ‘paying the ransom.’ If any of these BOD requirements apply to you, I would expect to find:

1. A policy from the BOD directing such reporting and specifying the parameters of such reporting (from the example above):
   1. “prompt & timely”
   2. “Established reporting thresholds”
   3. “Ongoing Updates”
   4. “addressed”
   5. Active BOD involvement versus oversight. The example cited above was one of the more BOD “involved” and is not representative of most of the 10-K’s seen by this author.
2. Your CIRP should reference the policy and provide actionable guidance to meet this requirement. BOD reporting would manifest in a number of ways:
   1. Roles & Requirements: Who on the CIRT is responsible for this task
   2. “Established reporting thresholds” – You should notify the BOD:
      1. Prior to any media notification
      2. Prior to any contractual notification (e.g., Cyber Insurance)
      3. Prior to any statutory/regulatory reporting (e.g. Materiality, State OAG)
      4. Immediately upon noticing one of your employees posted something on social media (True story)
      5. Immediately upon noticing anything posted on social media
      6. Once contacted by the media
      7. Once contacted by law enforcement or prior to engaging law enforcement
      8. Upon the initiation of an “incident”, Severity 1 or “critical” incident/outage
      9. Upon receipt of a cyber extortion demand
      10. Whenever the CEO determines it’s necessary
      11. All of the above
      12. None of the above. The BOD hired you to take care of these things and their role is strictly “oversight.”
   3. “Ongoing Updates”
      1. Incident versus “Regular”
      2. Reporting templates
      3. As part of a management briefing process (documented/tested)
      4. Leveraging out of band communications (if your email is also compromised)
      5. By whom (see Roles & Requirements above)
   4. Until the incident is “addressed”:
      1. Was the source of the compromise identified, contained, and eradicated?
      2. Did we confirm that other systems were not affected?
      3. Have all the required actions/obligations (e.g., notifications) occurred?
      4. Are there any significant activities outstanding that require the immediate attention of the CIRT to resolve?
      5. What systems and/or processes failed to prevent, detect, and/or correct the compromise of the affected system?
      6. Have the appropriate changes been made to prevent future occurrences of the incident from affecting our systems?
      7. Has a discussion with members of the CIRT occurred and was there consensus that the incident has been resolved?

Why none of this is new, nor solely for public companies:

Materiality reporting originated with Rule 10b-5 that was enacted in 1934 by the U.S. Securities and Exchange Commission (SEC), to target securities fraud. Two related rules, Rule 10b5-1 and Rule10b5-2, were issued in 2000 to create more current legal perspectives regarding securities fraud. Additionally, the SEC reporting obligation is but one of many statutory and contractual reporting obligations organizations need to satisfy during an incident. One of my clients found a reporting stipulation in a Purchase Order. Finaly, if you have an incident with “material” implications for the organization, at a minimum, somebody had better be reporting that to the BOD.

Board of Director involvement is not new either. One of the first “shots across the bow” was the 2007 TJ Maxx PCI breach². Their largest shareholder wanted to know about their InfoSec due diligence, up to and including their BOD. I routinely provide my BOD clients with a copy of the National Association of Corporate Directors (NACD) “Cyber Risk Oversight” Handbook. Written in 2014….

What the SEC is really telling (all) CISO’s they should be doing: Top Down versus Bottom Up Infosec

Another way to describe this approach is home building. We’ve all lived in a “track home” at one time in our life. These homes are built to industry standards by professionals. They are Inspected by auditors (Building Inspectors). But they are built with little customization for their eventual occupants. The next level of home building is the “Custom” built house. These are architected to meet the unique needs of the occupant. Bill Gates has a bowling alley in his home. This is the standard the SEC wants CISO’s to “build” to.

Let me provide you with an InfoSec example. During a management InfoSec tabletop exercise (TTX) with a law firm that defends celebrities/athletes against all kinds of accusations (civil and criminal), the question was asked of the management team “what’s the worst that can happen during a cyber intrusion event in which the attacker has complete access to your network?” (I was looking for that “business extinction” risk.) “What if our litigation work files appeared on the Dark Web?” was the managing partner’s response. “That would be very bad. Business Extinction bad. The firm would lose all of our clients. We would be sued. And many of our clients would be publicly humiliated and never work again.” After lunch, when I TTX’ed the technical/InfoSec team, their basic InfoSec “blocking and tackling” was fine (“track house”). About halfway through I asked, “What about these litigation work files?” (Only the CISO was at the management TTX.) – They didn’t have a clue. None of their technologies nor procedures were “tuned” to this “business extinction” risk.

“Material” cyber risks are what resonate with the BOD and senior management. These include “Business Extinction” risks. Life extinction risks fall in there too. This may resonate with those of you that have OT/ICS infrastructures that may go “boom”. One example from a TTX was “what if the computer managing the 6-hour graceful shutdown of (some big device running at an unbelievably high temperature) malfunctions due to Ransomware?” They had a management epiphany that their multimillion pound (GBP) facility and staff would most likely be obliterated by such a scenario. Admittedly a low probability risk, but a high impact none the less.

Even if you have “boring” InfoSec risks, your efforts should start with the risks to the organization, and then work down through the Infosec process.

1. Your efforts should start with the organization’s Enterprise Risk Management (ERM) program. Ensure cyber risks are identified and validated by the BOD. Develop a detailed Cyber Risk narrative that meets the “material” requirement in the SEC guidance.
2. For each of these risks, develop a sense of “context” or “baseline”. A helpful paradigm is “the 4 C’s”:
   1. Content: From the example above, Litigation Work Files. Where is this critical data in your network? Structured and unstructured. Digital and paper.
   2. Communities: Who/What accesses this data? Users, Admins, Service Accounts, credentialed vulnerability scanners, etc.
   3. Channels: What is the normal “flow” of this data to its users? Remote access, S/FTP, API’s, normal hours of operation, digital and paper, etc.
   4. Controls: What control mechanisms (both technical and administrative) prevent and/or detect/log the communities accessing the content via their normal channels? What controls prevent/detect unauthorized activity?
3. Apply your favorite framework(s) (e.g. NIST, FFIEC, ISO27K, PCI, etc.) and “customize” them in accordance with both the risks to the organization and with the knowledge of your “context”. You should be able to show how each of your controls is specifically aligned with the organizational risk.

The benefits of developing this “context” are as follows:

• Leverage this information to develop risk specific SEIM correlation logic and ISOC runbooks. Alert on behaviors that are inconsistent with your unique context. Grow beyond generic threat monitoring.
• During a Cyber Intrusion event, this information will help identify anomalies and ensure the CIRT is focused on what is most critical to the organization.
• Privileged Access Management, the old fashioned way. You may discover that you aren’t disabling your old/unused admin accounts per your policy and find over 100 unused accounts active on your network. (True story)
• Segregation of Duty / Single Point of Failure analysis. When one person on your IT team has ‘channels’ to way too many systems with critical ‘content’, you might have a problem.
• Developing/validating/improving your logging strategies. Are the “controls” telling you enough about the “context” for your SEIM to detect anomalous behavior or to support an investigation? Do you have adequate ‘controls’ for your high risk ’content’?
• Identifying high risk users and service accounts. You may find that 90% of your cyber risk lies in 5% of your users. (another true story)
• Validation that your controls framework (Preventative, Detective, and Corrective) is sufficient and specific to the “material” risks of the organization.

In summary, speaking in the language of the “material” will improve your ability to get beyond the technobabble, maturity models, and threat modeling the BOD doesn’t understand. The better aligned you are with actual business risks (extinction, lost revenue, reputation/market share, litigation/enforcement, etc.) the more likely you will be able to focus efforts and justify FTE & spend to mitigate those risks. Additionally, BOD members are becoming aware of these new requirements and may come to CISOs seeking additional guidance and participation. I recently sat across the table from the Chairman of the Board at one of my management TTX’s. BOD participation has increased noticeably since the SEC guidance.

FYI, the SEC also recently came out with guidance requiring a CIRP.³

This article should not be construed as legal advice and is solely the opinions of the author.

¹ SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

² 2007: T.J. Maxx parent company sued in credit card hack probe – CNET

³ SEC.gov | SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information