At the recent 2022 FAIR Conference, David Hirsch, the Securities and Exchange Commission enforcement chief for cybersecurity, and his predecessor in the job, Kristy Littman, now in private practice at Willkie Farr & Gallagher, answered some timely questions on how cybersecurity and risk professionals at public companies can stay in synch – and stay out of trouble – with changing policies at the regulator.
A FAIR Institute Contributing Membership is required - JOIN NOW.
Left to right: David Hirsch, Nick Sanna, Kristy Littman
Earlier this year, the SEC released proposed rule changes to tighten requirements for reporting on cyber incidents, including disclosing cyber events of material impact within four days of discovery – the US Chamber of Commerce and other business groups strongly objected to that timetable as too much to expect so early in a cyber incident. The SEC also proposed that companies:
>>Provide periodic updates about previous incidents
>>Report when a series of small, previous events added up to a material impact
>>Periodically report about their policies and procedures to identify and manage cybersecurity risks
The FAIR Institute has advocated that using Factor Analysis of Information Risk (FAIR™), the standard for communicating about cyber risk in financial terms, can align any public company with the letter and spirit of SEC policy, whether it’s determining material impact or running transparent procedures for cyber risk management. (See this blog post from FAIR Institute President Nick Sanna: SEC Proposes Rules for Faster, More Defensible Cyber Risk Reporting. It Could Do Better Still.)
While not directly endorsing FAIR, Hirsch and Littman spoke to the need for effective communication about cyber risk from the frontline defenders to the senior executives responsible for disclosures to investors.
Some highlights of the conversation with Hirsch and Littman, with Nick Sanna posing the questions:
The four-day proposal that trade organizations say is too stringent: Is it fair or unfair?
Littman: “My reading of that is that the four days will run from the materiality determination, not from the cybersecurity incident. I think that remains to be seen…Four days is not a long time especially if you are in the midst of an incident and you have a lot of other obligations…There are a lot of pieces of information required in that disclosure to the extent they are known at that time that are going to be really difficult.”
Hirsch: “It’s still in the proposal stage and unclear if it will be adopted…The idea that the SEC wants very timely reporting is accurate. There’s an expectation that, as you are planning to respond to an incident, that should be front and center. You want to have a plan where you can both respond quickly and be ready to start communicating with your regulators and law enforcement as quickly as possible.”
How would you recommend handling conflict with a General Counsel over risk reporting?
Hirsch: “I can recognize how General Counsels are risk adverse and sometimes think less is more as far as how they go about disclosing things. Traditionally, the SEC takes the opposite view. You want to think, if I have to defend what we’ve disclosed…am I going to be confident that the disclosures we offered were fulsome, were fair, and gave our investors the information they need. Almost all of the enforcement actions we have brought have been either because of delayed reporting or the reporting was inaccurate – they said risks were hypothetical when in fact the risks had been realized.”
Would you recommend organizations use quantitative risk analysis as a standard?
Littman: If the SEC is looking at their policies for managing risk, that may very well be a good piece of evidence to point to…It’s probably not a defense to not disclosing something [on the grounds that the risk was not material]. I think they are separate questions but if we are looking purely at the company’s policies and procedures and how they manage risk, I think it is a good fact.”
Hirsch: “Every matter is based on its own facts so it’s hard to give somebody a blanket yea or nay on a question like that. But I would say that to the extent that you are going through the work of really trying to analyze the potential impact of cybersecurity risk for breaches or incidents, and working hard to really think in advance of where those might occur to try to lower the likelihood of them happening, and the impact that they would have if they do occur, and you are disclosing that to your investors, those are all the sorts of things that we are encouraging in the abstract.”
A FAIR Institute Contributing Membership is required - JOIN NOW.
