What CISOs Need to Know About the SEC’s New Rules

Working as a Chief Information Security Officer (CISO) has never been easy or glamorous. But with the recent adoption of new rules by the U.S. Security and Exchange Commission on cybersecurity risk management, strategy, governance and incident disclosure, life as a CISO has just gotten harder. Adding to the longstanding organizational risk CISO’s have always managed, now they have to contend with personal risk as well. Late in 2023, the SEC instituted rules placed strict new disclosure requirements on publicly traded organizations intended to protect the interests of investors in these companies. The main things to know:

Disclosure of Cybersecurity Incidents

Firms must disclose any cybersecurity incidents that “may be material to investors” within four days of the incident’s discovery. 

Disclosure of Cybersecurity Risk, Management and Strategy

Companies will now also need to disclose material information regarding their cybersecurity risk management, strategy and governance efforts in their annual SEC disclosure statements—publicly traded U.S. companies fill out Form 10-K, while foreign issuers submit Form 20-F.

Disclosure of Cybersecurity Governance

These 10-K and 20-F reports will need to detail a wide range of information on digital assets, and how CISOs and security teams at the executive level are constituted, how they communicate up to their boards of directors and demonstrate competence, and how the board receives that communication, whether through a committee or other arrangement. 

In the press release announcing the new rules, the SEC puts theft/abuse/damage/harm to digital assets on par with similar material issues stemming from physical assets:

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

It goes unsaid, but the clear meaning is that information about a burning factory is fundamentally public and material. It’s not concealable. It’s going to get the attention of the fire department and the media, and investors as well. A suspected vulnerability in a cloud database’s permission’s framework or a laptop left in a taxi, on the other hand, doesn’t necessarily become public knowledge unless it’s a reportable incident under state or federal (FTC Act, GLBA or HIPAA) privacy reporting laws. 

With the new rules, the SEC removes any wiggle room about reporting, and does so in a somewhat novel way. Privacy laws are put in place to protect the interests of individual citizens. The SEC protects the interests of investors, whether individual or institutional. By tying the enforcement to economic interests rather than the intrinsic rights as a citizen, the mandate becomes far broader. Any incident involving digital resources that has the potential to negatively impact the value of the organization is now subject to mandatory reporting under the law. And oh yeah, you have four days to make that happen. 

Why It’s a New Day for CISOs

The contextual underpinnings of the new rules make very clear that the SEC is applying a much tighter focus on CISOs, seeing the role as the mainstay position in an organization’s security hierarchy. And without specifically saying so in the text, the SEC’s actions point to a new era where much more serious enforcement actions are on the table—both for boards and for CISOs. How do we know this? 

The entire exercise here must be seen in light of the SolarWinds breach and the SEC’s subsequent prosecution of SolarWinds the organization, and its CISO Timothy Brown. The issue there is that the SEC charged that Brown sent emails internally stating that the “company’s critical assets were very vulnerable,” sentiments that were not reflected in investor communications. Further, the SEC complaint alleges that “Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.” 

Clearly, the SEC is setting out to bring more transparency to reporting on cybersecurity and emphasizing the role of both boards and CISOs. But it must be noted that the roles and responsibilities of boards and CISOs can diverge, which is exactly what’s happening with the SolarWinds case. 

In the suit it filed in October 2023, the SEC stated that the initial Form 8-K disclosure that SolarWinds filed once it became obvious that it’s Orion platform had been compromised “was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving U.S. Government Agency A, Cybersecurity Firm B, and Cybersecurity Firm C.” 

News reports point out that the security vulnerabilities plaguing SolarWinds were well known within the company but weren’t disclosed until those vulnerabilities started to be exploited to attack SolarWinds customers. In singling out CISO Brown in the suit, the SEC points out that he was selling stock in the company even while he was aware these vulnerabilities could be potentially catastrophic to the company’s market valuation. The implication from the SEC is that Smith should have acted as a whistleblower but chose to conceal the vulnerabilities to profit instead. 

It should be noted that SolarWinds has put out statements defending the actions of the company, but not those of CISO Brown. Which illustrates the conundrum facing everyone in the CISO position today. Security industry observers rightly perceive the SEC’s actions as rendering the CISO role in general as untenable, and a threat to individual practitioners in the field. Who would want to take on the role of CISO within a publicly traded company if inaction on the part of the board, or sloppiness within the investor relations communication team, could expose you to prosecution by federal authorities? 

The key issue here is personal liability. With the SEC clearly showing they’re willing to sue CISOs, and the board of SolarWinds apparently not standing 100 percent behind their beleaguered CISO, security professionals everywhere are entirely justified in fearing that they’ll get sued—thrown under the bus—if they’re ever unfortunate enough to be the presiding executive when a significant breach occurs. CISOs need to understand that the downside risk of non-compliance has grown significantly. 

Steps to Take Moving Forward

So, what’s to be done? The new SEC rules are already in effect. If you are a CISO at a publicly traded company, it’s time to take stock and gain an understanding of where your organization stands in relation to the new rules. Given the monetary and reputational risks, directors and officers (D&O) insurance will be a must-have for CISOs going forward. D&O liability insurance protects individual board members and executive officers from personal loss if they are sued for actions taken on behalf of the business. If you’re already covered under your company’s policy, know that premiums are likely to increase. It’s important to understand also how far your coverage extends. Not all D&O policies cover criminal prosecution, as the SolarWinds CISO now dealing with. 

What can be done to bring your currently systems, policies and practices in line with the new SEC rules? At CyCognito, our take is that to come into compliance with the new SEC rules, organizations will only be deemed as properly managing risk when they can document:

• The location of all digital assets
• Which assets contain information that would be considered material if breached (PII, PHI, intellectual property, etc.)
• How an attacker would be most likely to approach these assets
• That assets are being regularly tested and updated with security patches

In short, this is a pragmatic approach to establishing: we know what we’ve got, we know where the material info is, we know how to think like our enemy, and we’re testing all the time. So, the question becomes: how to achieve these goals? Deloitte has helpfully released guidance that establishes a workable framework from which to proceed. We’re going to paraphrase some of that guidance here and spell out where CyCognito solutions can play a role in bringing your organization into compliance with the new mandates. 

Conduct an SEC readiness assessment

Identify potential risks and address issues promptly

• CyCognito’s platform provides clear visibility to risk across your organization’s attack surface so that you can perform a security self-assessment and measure your external risk, including your exposures in on-premises, cloud, partner and subsidiary environments.
• With a holistic perspective of your security posture, pinpointing vulnerabilities, and assessing their potential impact, CyCognito automatically prioritizes critical issues, considering their severity, attacker perspective, and business impact. 

Evolve cyber incident response and reporting capabilities

Protect the organization’s interests, maintain trust, and strengthen overall cyber resilience

• The new four-day incident reporting mandate requires comprehensive visibility into your digital environment as well as the ability to pinpoint the nature of an incident, its origins and effects in hours, not days. Getting analytics and reporting on your attack surface is readily doable with the CyCognito platform, which reduces attack vector remediation and validation time from months to days. This dashboard presents an overall security grade for the issues detected on the assets in an attack surface, and groups assets by environments, business units and platforms without user input. 
• These asset groupings are automatically mapped to organizations to provide context for visualization reporting and trends. What sets the CyCognito platform apart from simple attack surface mapping is its ability to report on exploitable issues and on exposed assets where they can provide attackers a path of least resistance. Reporting on these exposures makes it possible to mobilize team efforts to operationalize security and close these gaps in defenses before attackers can exploit them. This information is exactly the kind of contextual data the SEC is looking for in requiring documentation on how an attacker would be most likely to target your organization’s assets. It’s also the kind of information necessary to keep your board informed on vulnerabilities and what the organization is doing to counter them. 

Apply stakeholder coordination and orchestration processes

Facilitate timely and appropriate disclosures

• With CyCognito, operational reporting is delivered as packages of findings from an attacker’s point of view called Attack Vector Reports. These dossiers contain actionable remediation advice and convenient attack vector validation, including status change, insights, as well as evidence. 
• Tactical reporting in this platform is provided by CSV exports of asset and issue data grouped to environments, business units, web applications, and platforms. Asset information like IP addresses, IP ranges, certificates, and domains can be exported manually or via API to populate spreadsheets, databases, and other tools. In this way, it becomes possible to more effectively coordinate the efforts of all stakeholders and orchestrate a unified response for annual reporting and incident response. 

Enhance the cybersecurity governance framework

Foster a culture of accountability while strengthening governance by educating the board and management

• Security frameworks and compliance standards define the procedures that reduce cybersecurity risk. Many organizations must adhere to these frameworks and standards but can find it difficult to make them actionable outside of an audit. The CyCognito platform automatically identifies violations for major security and compliance frameworks such as NIST, CIS and PCI-DSS. 
• With continuous monitoring and testing, the CyCognito platform addresses the new rapid response timelines and reporting requirements for all of the major global security frameworks:  

EU Network and Information Security Directive v2 (NIS2)

Automatic organizational reconnaissance, asset discovery and risk profiling provide the continuous visibility required for EU organizations to meet NIS2 requirements.

NIST Cybersecurity Framework (CSF)

The CyCognito platform helps organizations follow this standard by mapping closely to the Identify and Protect functions and contributing to Detect, Respond and Recover functions.

NIST Risk Management Framework (SP 800-53)

The CyCognito platform aligns partially or substantially with 10 of the 20 control families as applied to externally facing assets.

NIST Guidelines for Protecting Sensitive Information (SP 800-171)

The CyCognito platform provides guidance on assets with violations to NIST 800-171, helping organizations understand issues and remediate them promptly.

ISO/IEC 27000

The CyCognito platform contributes to addressing ISO 27001:2013 sections “6.1.2 Information Security Risk Assessment,” “9.1 Monitoring, Measurement, Analysis and Evaluation” and “10.1 Nonconformity and Corrective Action.” Of the 14 Categories in the Annex A controls, the CyCognito platform contributes significantly to three; A.8 Asset Management, A.12 Operations Security, and A.13 Communications Security.

Center for Internet Security (CIS) Critical Security Controls (CSC)

The CyCognito platform maps to 14 CIS controls. CyCognito provides extensive coverage around the inventory of assets, vulnerability and penetration testing, and security of ports and services.

GDPR and Other Data Privacy Regulations

The CyCognito platform helps your organization comply with other data privacy regulations around the globe that include protections for the way that PII is obtained, processed and stored. These include:

• California Consumer Privacy Act (CCPA)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
• Germany’s Bundesdatenschutzgesetz (BDSG)
• South Africa’s Protection of Personal Information (POPI) Act

Discover and prioritize security risks introduced by your subsidiaries

A key challenge for holding companies, multinational corporations, and other conglomerates is monitoring the IT security risk of their subsidiaries. Subsidiary IT environments contain assets that you don’t manage but that can still put your organization at risk. Unknown and unmanaged attacker-exposed assets in these environments can easily be the source of your organization’s most critical cybersecurity risk. The CyCognito platform provides an automated, scalable platform that will help you manage and monitor your attacker-exposed subsidiary environments efficiently and effectively.

Map and discover all your subsidiaries’ assets automatically

The CyCognito platform gives you immediate visibility into the entire organization’s full scope of its legal entities, brands, and subsidiaries, even uncovering assets they didn’t know existed, and providing the business context of each asset including ownership.

Assess the security posture of your subsidiaries to understand the exposures that could impact your business

CyCognito objectively measures the risk of each subsidiary and the risk of each asset in its environment by validating evidence across multiple data sources and testing for high accuracy. This evidence includes an exact path of discovery, ownership, and critical issue remediation steps. This validated evidence establishes credibility when working with subsidiaries for remediation.

Continuously monitor subsidiaries to guarantee your entire organization is protected

CyCognito provides an automated, scalable platform that needs no deployment or configuration to monitor subsidiaries’ attack surface continuously. This is essential for maintaining visibility into the evolving attack surface, allowing the organization’s subsidiaries to mitigate security risks and threats.