Two months into new rules around when public companies must disclose major cybersecurity breaches, some questions remain. But visibility into the cyber landscape may also be opening up in new ways.
WashingtonExec recently reached out for member feedback on how the impact the changes are having so far.
What changed?
The Securities and Exchange Commission set rules that went into effect Dec. 15, requiring companies to publicly disclose “material incidents” within four days of determining a cybersecurity incident that rises to the level of “materiality” occurred. The commission has been involved in setting rules around disclosures for years. The latest change aims to create more consistency, according to a statement from Eric Gerding, director of division finance at SEC.
What is the impact?
Michael Boggs, director of the Federal Cyber Programs at ICF, said the four-day reporting window won’t be a big challenge for most large companies as many already had contracts and regulatory requirements comparable to the SEC mandate.
“Instead, the biggest challenge will be defining what a material cybersecurity incident is due to the interpretive latitude,” he said. “Right now, there is a lot of ambiguity around what that means, and there is no standard definition for companies to abide by.”
Joseph Dyer, vice president and chief information security officer at ICF, said the new SEC requirement boils down to accountability.
“Many public companies already have to comply with certain disclosure requirements, but now these companies will have to bring broader visibility into their cybersecurity practices and invite public scrutiny,” he said. “This will require a mindset shift, and I think the biggest impact we’ll see is that, for the first time, the public will be able to judge a company for how they prepare for and handle cyber breaches.”
Dyer said the SEC mandates are forcing GovCon companies to open new lines of communication about their cybersecurity practices so they are held more accountable publicly.
“But it’s no secret that, historically, interagency communication and collaboration has been difficult,” he added. “GovCon will feel some of the growing pains as agencies and other stakeholders figure out the most effective and impactful method to disseminate information and obtain guidance when faced with conflicting requirements. For example, when the SEC reporting overlaps with national security and public safety confidentiality.”
Andrew Cunje, chief information security officer for Appian, said his company has always been committed to providing customers with the most trusted platform for process automation. Appian, he said, has built robust security programs that adhere to stringent standards from highly regulated industries and is well-positioned to enhance its practices and procedures to comply with the changes brought on by SEC’s new cybersecurity rules.
“With respect to ‘materiality,’ Appian has always had processes in place for our legal department to review security incidents and follow SEC guidelines on whether any incidents would arise to a ‘material incident’ under the SEC’s existing rules and regulations,” Cunje said. “The new four-day disclosure deadline will not significantly impact our already existing processes and commitment to public transparency.”
What is the outlook for 2024?
Boggs said today’s cybersecurity landscape requires companies to operate under the assumption there will be a cyber breach.
“In 2024, we are laser-focused on enhancing our detection and response to cyber threats so we can act as quickly as possible,” he said. “To do this, we are focusing on three core pillars: evaluating and integrating new technologies like AI into our response efforts, enhancing our zero trust principles, and strengthening our third-party supply chain risk management methodologies.”
Cunje said Appian’s focus for 2024 is on resilience.
“As an enterprise grade software vendor who works with a global customer base, new laws and regulations, customer expectations, and the evolving cyber threat landscape all drive our cyber program to continuously improve,” he said. “Our focus will be on improvements that stand the test of time and can rise up to the challenge of meeting the new global standards which focus on concepts such as supply chain, patching, secure access and more. Finally, as the scope of these changes is partnership and transparency, we are looking at advancement of methods for both new and existing customers over time.”