New breach disclosure era arrives

A new era for cybersecurity disclosure has now officially begun following the adoption of new rules by the Securities and Exchange Commission (SEC) requiring public companies to disclose within four days all cybersecurity breaches that could affect their financial results.

Starting December 15^th, the new rules also require publicly traded companies to annually describe their cybersecurity risk management efforts and the level of cybersecurity expertise they have at the executive level.

The SEC rules are among the first of a series of levers the U.S. government is expected to apply to require organizations to improve the overall state of their cybersecurity. As outlined in the U.S. National Security Strategy published earlier this year, the government is committed to extending the authority of multiple Federal agencies to achieve that goal.

As noble a goal as they may be, these rules create something of an ethical dilemma for cybersecurity professionals. In theory, at least, cybersecurity professionals have an obligation to the organizations they work for to keep information confidential. However, as noted in the recent conviction of former Uber CISO Joseph Sullivan, the U.S. government is making it clear that the interest of shareholders in a public company supersedes all other obligations.

The new SEC rules do allow for disclosure delays if the information being withheld poses a serious threat to national security or public safety, but for the most part, the board of directors of public companies will be held more accountable for breach disclosures. Naturally, those boards will be looking to their internal cybersecurity teams for guidance in terms of assessing the financial impact any breach might have.  As most cybersecurity professionals well know, making such assessments can be tricky business. There are the obvious costs created by having to, for example, send notifications to customers and remediate the vulnerabilities that were exploited but placing a value on damage to brand reputation is not nearly clear cut.

For example, with more organizations now regularly disclosing breaches, many customers have become inured to cybercrime. Not nearly as many customers are outraged as they once might have been to discover their personal data has been leaked. It’s annoying but fewer customers today are likely to stop doing business with an organization because of a lapse in cybersecurity.

The SEC is requiring organizations to disclose any material impact on financial results without really defining what that constitutes. In fact, the rules require disclosure four business days after a registrant determines that a cybersecurity incident is material. It doesn’t say how long it should take between when a breach is discovered and when it should be deemed material.

Most public companies are going to err on the side of caution when it comes to making these disclosures for fear of winding up on the target of an SEC investigation but if breach disclosures start having a significant impact on stock valuations the pressure on cybersecurity teams to equate the blast radius of cybersecurity incident with specific costs is only going to intensify. There are always going to be a lot of people in these organizations, including members of the cybersecurity team, that have a vested interest in making sure stock valuations remain as high as possible. There may even come a day when cybersecurity professionals determine that owning shares in the companies they work for represents too much of a conflict of interest.

Hopefully, all these disclosures will lead to better cybersecurity if for no other reason than organizations will learn from the mistakes and miscues made by others. The challenge, of course, is that all those disclosures are about to be made in a public forum for all, including cybercriminals, to see.