FAIRCON24: Ex-SEC Enforcer to Warn CISOs to Watch What You Say
David Hirsch, then chief of cyber and crypto enforcement for the Securities and Exchange Commission, spoke at the October 2023, FAIR Conference in a fearful period for the CISO community.
The SEC had recently promulgated rules requiring companies to report a cyber incident within four days of determining the event to be “material” – a term open to confusion – and shortly after the conference, the SEC sued SolarWinds and its CISO, claiming they made false public statements about its cybersecurity practices and – in a new extension of securities law – failed to maintain adequate cyber controls during an attack attributed to Russian threat actors.
A lot has happened since FAIRCON23. Companies adjusted (even over-adjusted) to the new filing rules and a court threw out most of the SEC complaint against SolarWinds and its CISO, ruling that the agency had over-reached in trying to regulate cybersecurity controls. But there’s still a lot up in the air for SEC-regulated companies, including that materiality reporting requirement – and just how aggressive the SEC will yet be in going after CISOs.
We’re tracking filings with the SEC about cyber incidents and estimating their ultimate loss magnitude using the FAIR-MAM standard. Visit How Material Is That Hack?
So, we invited David Hirsch, now a partner at McGuireWoods providing counsel on cyber, crypto and SEC issues, to return to FAIRCON24 for a discussion:
CISO Liability: How Not to Get Singled Out in an Evolving Regulatory Environment
Tuesday, October 1 at 1:30 PM
Also featuring
- Nick Sanna, Founder, FAIR Institute (Moderator)
- Mark Tomallo, CISO, Victoria's Secret
- John Winter, Chief Legal Officer and Counsel, Liberty Latin America
Learn more about the 2024 FAIR Conference
Here’s a short Q&A with Hirsch to preview his FAIRCON24 session.
Q: Did the SEC achieve its goals with the new cybersecurity rules?
A: The SEC goals were multiple but a lot of it was to further make it clear for public companies that they have cybersecurity process and procedure obligations before a breach occurs and an obligation to inform investors in a timely way of material breach.
By and large from what I can tell, companies are doing a good job focusing on the type of process the SEC has emphasized and the information flow between cyber functions and other portions of the company to make sure they are ready to make accurate and timely disclosure if the time comes to inform the general counsel or board of material events.
We are seeing more public 8-K filings and other public disclosure post-breach all of which are things the SEC hoped to achieve. So, early days but so far so good.
Related Blog Post: Takeaways from First 10-Ks under New SEC Cyber Risk Disclosure Rules
Q: Have companies over-reacted in reporting to the SEC on cyber events?
A: There were what I would describe as defensive disclosures: “It doesn’t rise to the level of materiality but maybe the SEC has a different view so out of an abundance of caution we are both going to tell you we don’t think it's material but also let our investors know about it.”
The SEC responded to that trend by issuing a statement saying the new section of Form 8-K is really intended to be for material events and if you think you have something that doesn’t rise to the level of materiality, but you want to tell your investors use a different section of the form.
Q: There was a lot of anxiety a year ago about the requirement to report a material cyber event within four days. How has that played out?
A: It is not as big an additional burden as people initially thought, though it’s still early days. The obligation is to make a materiality determination without unreasonable delay and that isn’t defined. It gives people time to work through the process and after that the four-day requirement kicks in. It has not been a sprint to disclosure.
Q: What advice would you give a CISO about staying on the right side of the SEC? (Note: Hirsch worked on the SolarWinds case and declined to comment directly on it.)
A: It is Important that CISOs engage in candid internal conversations about areas where the cybersecurity risks have yet to be addressed. There is nothing wrong with having those conversations.
But to the extent that you are aware of vulnerabilities or risks internally you should be careful that you are not making statements out to investors or customers or the public that are inconsistent with what you know to be true.
You can be aspirational about your cyber function and no cyber function is perfect because the threats are dynamic -- you’re talking about things as they exist today, and things might change tomorrow. But you just need to be careful that you are not out speaking publicly giving a sense of confidence that you don’t feel or your internal team thinks is unjustified.
At FAIRCON24, more than 70 CISOs, CIOs, board members and other cyber risk leaders and stakeholders will speak on challenges such as third-party risk management, cyber reporting for the board, automating and scaling your program, and emerging risk areas such as AI. Register for the 2024 FAIR Conference now!