Cybersecurity and breach regulations – Are you ready?
Editor’s Note: This is the first in a series of blogs set to explore the quickly evolving compliance landscape. While this first piece provides an overview of the conversation, we’ll use future posts to dive into the nuance security professionals should be considering.
The risks a connected world brings have been evident since 1971 when ARPANET, the precursor to the modern day internet, first went operational. That same year Bob Thomas developed “Creeper,” an experimental computer program capable of moving over ARPANET between DEC PDP-10 mainframe computers running the TENEX operating system. Another researcher figured out how to have that program copy itself rather than move, and the first “worm” was born. Fast forward 40 years, virtually every person and business is impacted by the internet. Entire economies, livelihoods, and indeed national security, are directly tied to the assumption people, companies, and governments are able to safely and securely interact on internal computer networks and through public broadband network access.
Given this backdrop, it is no surprise both the Securities and Exchange Commission (SEC) and the U.S. Federal Government (USG) have a vested interest in ensuring cyber-related risks are not ignored, but rather are factored into corporate governance and continuity considerations for businesses. The SEC and USG have been pushing for more transparency and disclosure related to these risks for some time, and now have provided specific regulations and proposals to require such disclosure. A big question for businesses is whether they will be ready to meet these reporting requirements.
Cyber Incident Reporting For Critical Infrastructure Act of 2022
President Biden just signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that sets out mandatory reporting requirements for critical infrastructure entities for cyber-related incidents, and in particular ransomware events. CIRCIA requires Covered Incidents to be reported within 72 hours after an entity forms a reasonable belief an incident occured, and any ransomware payments must be reported within 24 hours. What a “Covered Incident” is has yet to be defined by the Director of the Cybersecurity & Infrastructure Security Agency (CISA), but at a minimum it will require the occurrence of:
(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes; (ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against (a) an information system or network, or (b) an operational technology system or process; or (iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise
The sweep of this legislation is broad, and the required disclosures will impact a significant swath of the business community. Having the right tools to rapidly identify, understand, isolate, respond, and report on possible incidents with certainty will be critical to meeting the obligations required by this regulation. CIRCIA is focused on a subset of companies related to critical infrastructure, and the Director of CISA will be responsible for providing clarity on the entities covered by this regulation.A Covered Entity will include entities in a “Critical Infrastructure Sector” as set forth in the Presidential Policy Directive 21 and this includes businesses covering a significant portion of the world’s economy (e.g. chemical, communications, critical manufacturing, defense, emergency services, energy, food, financial services, healthcare, information technology, transportation, etc.).
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
While some businesses may not be covered by the reporting obligations imposed by CIRCIA, all public companies in the U.S. will be impacted by the recently proposed SEC rules intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
In brief, the proposed SEC Incident Disclosure rules, which were published for comment in the Federal Register on March 9, 2022, would require companies to: i) disclose information about a material cybersecurity incident within four business days after determining an incident has occured; ii) require updated disclosures about previously disclosed cyber incidents; and iii) require disclosure when a series of previously undisclosed immaterial cybersecurity incidents has become material in the aggregate. When the SEC uses the term “material”, it is important to remember it is used in the context of the significance of the item to a company’s financial statements. In this context, a matter is considered “material” if there is a substantial likelihood a reasonable person would consider it important.
While there is A LOT to unpack with these new incident disclosure proposed rules, what is more telling and significant is the SEC proposal requires enhanced and standardized disclosure on companies’ cybersecurity risk management, strategy, and governance. This will require public companies to, among other things:
- Describe policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation;
- Require disclosure about the company’s board oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the company’s cybersecurity policies, procedures, and strategies; and
- Disclose if any member of the company’s board has expertise in cybersecurity.
As you can clearly see, the SEC has recognized the increasing importance of cybersecurity and appears poised to require these disclosures to better inform potential and current investors and allow them to evaluate a company’s exposure to cyber risks and their ability to manage/mitigate those risks.
Between the USG’s and SEC’s new focus on cybersecurity, companies both public and private need to build cyber risk management into their normal operations, from the ability to have visibility into risks they face, to the ability to understand their infrastructure and the exposure to such risks, and finally the ability to take action when a significant risk is identified.
So, we’ll ask again – are you ready?