FAIRCON23 Panel: How CISOs Can Get Ready for New SEC Cybersecurity Rule, with Advice from SEC Cyber Enforcer David Hirsch (Video)
If you’re a CISO, public company board member, securities lawyer, or anyone else touched by the new SEC rules on disclosure of material cyber risks, you’ll want to watch this one-hour video headlined by David Hirsch, the SEC’s chief enforcer for cyber, plus a deeply knowledgeable group of legal, infosec and corporate governance experts, moderated by Wall Street Journal cyber editor Kim Nash
We pulled out some of the highlights (with timestamps) as a quick guide, but many more insights are on the video.
>>Moderator: Kim Nash, Deputy Bureau Chief, WSJ Pro Cybersecurity
>>David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC
>>Brian Walker, CEO, The CAP Group
>>Kurt John, CSO, Expedia Group
>Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz
On the What and Why of the New Disclosure Rules
:37 David Hirsch describes the two parts of the new rule: 1) Companies to disclose how they are prepared to deal with material cyber events and 2) the “four-day clock” to disclose a material incident if one occurs.
4:19 Hirsch on the need for the new rules: There were clearly more cyber events happening than 8-K disclosures filed with the SEC.
25:10 Hirsch says his hope is that with companies filing 8-Ks more frequently, cyber incidents will become “less significant in the minds of investors…just one of a string of incidents that everyone is potentially vulnerable to.”
On Playbooks for Material Risk Disclosure
8:38 Kurt John shares his company’s strategy on material-events disclosure: 1) Create a disclosure framework shared with Legal, Communications and other functions 2) Run tabletop exercises to road-test your framework. David Hirsch endorses that approach.
39:12 John says that the first thing he would do in a serious cyber event would be to spin up a Confluence or other shared page and start documenting the decisions, their risks and rationales that preceded a materiality determination. David Hirsch agrees that’s a good way to document a process, just what the SEC wants to see.
On that Worrisome 4-Day Rule
13:23 Kurt John advises don’t feel rushed by the 4-day rule—take a week if you need it to get the information right.
17:10 David Hirsch confirms that there is indeed no expectation of “perfect visibility” into a cyber event within four days – think of disclosure as an “iterative process” with further disclosures as more information becomes available. However, it’s critical to keep good records so “we can see the decisions made were based on the best available evidence.”
19:22 Richard Borden pushes back a bit, saying that an after-incident investigation can reveal information that was in logs but not recognized as important during the incident. “A backward look can be very problematic for companies.”
On Determining Materiality
5:18 Richard Borden cautions that a cyber event may appear to be insignificant to the cyber team but turn out to be material as a reputation hit. “We are speaking two different languages.”
35:22 David Hirsch takes on the confusion over what the SEC means by qualitative vs. quantitative impact and urges that in cyber as well as other forms of material risk, companies ask themselves the basic question of “Is this type of information our investors care about?”
38:00 Borden says even for qualitative judgements, it is essential to track cyber risk data. “That’s a really important way that you can document that you have been reasonable in the judgment that you have made.”
On the CISO’s Role in the Materiality Disclosure Process
21:53 Brian Walker advises CISOs “don’t put the pressure on yourself to be the sole determiner of what’s material.” There should be a risk team to shoulder that burden. Your role is to be a SME and most importantly keep communicating so you don’t end up “under the bus.”
30:12 On staffing a disclosure team, Richard Borden advises companies to have people cross-trained: a lawyer on information security and securities disclosure, an infosec person who can translate from the front-line defenders.
On CISO Liability
43:41 Brian Walker says “Nothing in the new ruling creates obligation or liability on the part of the CISO” – if anything, the SEC demand to document a materiality process takes the pressure off the CISO.
54:17 The SEC named the CISO of SolarWinds in a fraud complaint after this session at FAIRCON, but when David Hirsch was asked about legal liability for CISOs, he was clearly doing some foreshadowing: “I think there is a priority to hold individuals accountable if they are deceiving the government, if they are…the decision makers in a way that is outside what can be described as the reasonable approach to cybersecurity.”
44:25 Walker says that if organizations are now naming CISOs in SEC disclosures, they should be included in the company’s directors and officers (D&O) insurance. “Make that a term of employment,” he suggests to CISOs.
On the Role of the Board
10:40 Brian Walker says that Boards are also looking for a more predictable process for handling a material cyber incident, but they are “struggling with how they are going to know it’s material.” He suggests this is a good time for CISOs to get on the schedule for board meetings.
On the New FAIR Materiality Assessment Model (FAIR-MAM™)
50:17 Brian Walker notes that companies run on numbers and anything we do “to speak more using probabilistic estimates and a common vernacular will drive us to quicker decisions and quicker alignment.”
The greatest benefit is access to the exclusive community of cyber and operational risk officers, cybersecurity leaders and business executives who share their experience and knowledge on the growing discipline of quantitative risk management.