One year after SEC cyber disclosure ruling, security leaders weigh in

July 26, 2024, marks the one year anniversary since the SEC cyber disclosure ruling. With a year in the rearview mirror, many security professionals are reflecting on whether or not their predictions for this ruling were accurate. Furthermore, they assess the impacts of the cyber disclosure ruling.

Security leaders weigh in 

George Gerchow, Faculty at IANS Research and Head of Trust at MongoDB: 

“We are approaching the anniversary of the SEC’s cybersecurity disclosure rules, and still, not much has changed. While organizations are trying to be more transparent, the lack of significant fines or penalties allows the same bad habits to persist. Many large corporations have experienced major incidents and failed to disclose them within the required four days of determining materiality without facing additional penalties.

Having personally experienced two cybersecurity incidents last year, I can attest that the new rules are a priority, especially regarding disclosure timing. However, these rules also create problems, such as announcing an ongoing attack before having time to mitigate the issue. This adds complexity and increases malicious activity against an already vulnerable organization.

So far, the only significant fine imposed has been around $10 million. To address these issues, we need greater accountability and larger sanctions on timing to enable customers to protect themselves, as well as clearer guidance on what constitutes material information. Additionally, we must find ways to better protect companies that are undergoing an incident after disclosure and are under attack.

“Regarding last week’s news of most of the SEC’s charges against SolarWinds being dismissed, let me start by saying this is a good and sensible step forward. I feel like the current ‘disclose while you are still under attack’ puts you in an even more vulnerable position. So, I am glad to see the judge’s response to risk warnings being too detailed.

“I see the overall dismissals as potentially damaging depending on what they are. We need more accountability for the organization instead of focusing on the security leaders of these companies who, in many instances, have their hands tied by execs and the board. We are becoming scapegoats. If this trend continues, you will see an even larger gap in security talent willing to put their credibility on the line, as well as facing charges by the SEC and DOJ.”

Steve Martano, Faculty at IANS Research and Partner at Artico Search: 

“While the dismissal of most of the SEC charges against SolarWinds will be viewed as a win within the CISO community, it is premature to think regulatory pressure and litigation against companies and individuals will desist in the future.

Each cyber incident and consequent response is unique, and while the SEC may be hesitant to proceed with litigation due to this precedent in the immediate future, it’s become clear in recent months and years that regulators are indeed willing to test the bounds of such litigation. We are far from a clear understanding of what is expected of companies and security leaders in terms of breach response, but U.S. District Judge Paul Engelmayer’s ruling that company risk warnings do not require “maximum specificity” does mitigate the risk for CISOs, if only slightly.

“As we approach the anniversary of the SEC’s cyber disclosure rules, we reflect on both the initial disclosure requirements and the required filing follow-ups codified by the SEC.

“Regulators such as the SEC are continuing to add requirements beyond financial disclosure, and cyber is just one piece of additional information that holistically makes up the health and business risk of any company. Due to these adjusted regulations, companies are reevaluating materiality and documentation around cyber incidents.

“Although many CISOs clamored that the SEC did not do enough in their 2023 ruling, they begrudgingly agree that any move leading to an increase in transparency and disclosure is a positive step. Most of the discontent last summer was around the SEC striking their cyber board member requirement, the optics of which was regulators viewing cyber as an operational challenge to be managed by executives rather than in the boardroom.

“Many companies over the last year developed a cross-functional plan for cyber incidents, redesigning incident response strategies that include an assessment of materiality. This positive development enhances the muscle memory of an organization in the event they need to respond to a security incident while also elevating the security function and security leader. While we are far from an equilibrium on cyber disclosure and regulatory requirements, we are trending in the right direction.”

Scott Kannry, CEO and Co-Founder at Axio: 

“As we approach the 1-year anniversary of the SEC cyber disclosure rules, there is a lot of uncertainty, especially in light of the recent Chevron ruling. This pivotal decision emphasizes the courts’ role in interpreting ambiguous regulations, leaving many to question the future impact on existing frameworks.

“Furthermore, last week’s dismissal of most of the SEC’s charges against SolarWinds is significant. While this decision may ease some immediate pressures on companies, it also underscores the ongoing complexity and unpredictability of the regulatory landscape. Even though the judge ruled that risk warnings don’t need maximum specificity, the risk isn’t entirely removed, although it offers some relief for CISOs.

“For companies and CISOs, this raises critical questions: Do these rules still matter, and how should strategies evolve to align with shifting regulations? While clear answers remain elusive, one thing is certain — the regulatory and litigation landscape will continue to transform. We can anticipate more regulations, increased litigation and potentially conflicting court decisions.

“In this dynamic environment, management teams must gain the insights necessary to make informed and defensible decisions about their cybersecurity programs. Key considerations include:

  • “Ensuring cybersecurity programs align with the organization’s highest risk areas.
  • Assessing the potential financial impact of cybersecurity events.
  • Evaluating how well losses are contained within risk tolerance levels if an event occurs.
  • Identifying the most cost-effective strategies to achieve these goals.

“CISOs, in particular, must build a shield of defensibility. They need to demonstrate that they have exercised appropriate care, were well-informed and used proper business judgment. By doing so, they can better navigate the complex and evolving regulatory landscape, safeguarding their organizations.”