October 18, 2023 at 05:43PM
CISOs face the challenge of deciding what details to report and omit under new SEC rules. The CISO, along with the security operations center, would prepare a memo with incident details to be reviewed by investor relations and legal for a filing to the SEC. CISOs must balance reporting as much information as possible with cybersecurity concerns and the need for accurate information. The filings of Caesars, MGM, and Clorox provide examples of what information to disclose.
The meeting notes highlight the challenges faced by CISOs in deciding what details to report under the new SEC rules. CISOs are in a delicate position and have to navigate between reporting as much as legally required, sharing as little as possible from a cybersecurity perspective, and reporting information they are confident about. It is important to only report what is known with a high degree of certainty, especially considering that initial details are often wrong and can change over time.
The filings from Caesars, MGM, and Clorox can provide guidance on how to comply with the new rules, although the information disclosed may vary depending on the nature of the incidents. The filings focus on what is known, avoid speculation and predictions, and do not include details that are likely to change. It is important to keep disclosures simple, factual, and at a high level, focusing on tangible and measurable impact.
Another consideration is the actionable value of the information to shareholders and potential investors, and whether disclosing specific vulnerabilities could provide attackers with additional information. CISOs should also be mindful of what information is already publicly available, as certain details may be known through social media or other sources.
While it is important to make judgments about the materiality of the information, the obligation is still to disclose. CISOs should separate what happened from the organization’s planned remediation efforts, as there is no requirement to discuss remediation in public disclosures.
With the new SEC rules, cybersecurity incidents will receive more attention internally, bringing them to the forefront for boards of directors, CEOs, and CFOs. It is advisable to involve corporate counsel or outside legal advisors in the disclosure discussions to provide legal advice and protect the conversations under attorney-client privilege.
Overall, CISOs face the challenge of effectively reporting cybersecurity incidents under the new SEC rules, balancing legal requirements, cybersecurity concerns, and the need to provide meaningful information to shareholders and potential investors.