The Securities and Exchange Commission (SEC) has adopted rules requiring publicly-traded companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. This requires reporting cyber material incidents within four business days mandating companies be prepared with a robust cyber resilience strategy. In this episode, our experts will explore the impact these regulations have on cyber risk management strategies, governance, and processes. Listen as they share insight into how to prepare and what we’re learning from recent breaches.
The Securities and Exchange Commission (SEC) has adopted rules requiring publicly-traded companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. This requires reporting cyber material incidents within four business days mandating companies be prepared with a robust cyber resilience strategy.
In this episode, our experts will explore the impact these regulations have on cyber risk management strategies, governance, and processes. Listen as they share insight into how to prepare and what we’re learning from recent breaches.
Featured Experts
Greg Spicer, Co-Founder & Chief Revenue Officer, Ostrich Cyber-Risk
John Feezell, Global Security Consultant, Risk Advisory Services, Kyndryl
Tom Rourke 00:03
Hello, this is Tom Rourke. I'm the global leader for Kyndryl Vital and you're very welcome to The Progress Report. The Securities and Exchange Commission has adopted rules requiring publicly traded companies to disclose material cybersecurity incidents that they experience and to disclose on an annual basis, material information regarding cybersecurity risk management, strategy and governance. But perhaps even more importantly, there's a requirement that they report material cyber incidents within four working days. Joining me today to discuss the implications of these SEC regulations and how they may begin to shape the approach of other regulators globally are Greg Spicer, who's Co-Founder and Chief Revenue Officer of Ostrich Cyber-Risk. And my colleague, John Feezell, who is a Global Security Consultant in risk and advisory services here at Kyndryl. John, Greg, you're both very welcome to The Progress Report. So let me just jump straight into this. Greg, you know, as we kind of approach this, and we're trying to understand the context, maybe just kind of a little bit about like, you know, what's the definition of a cyber breach in this context? And in particular, like, what does it mean for it to become material and therefore warrant, the extension of the SEC?
Greg Spicer 01:22
Wow, big question. Seems like an easy answer, a cyber breach, something that happens to an organization, whether it's ransomware, or a DDoS attack, basically a disrupter to the organization that is critical to that organization functioning, right? Organizations have great tools in place for defense mechanisms, but it still keeps happening. So breaches are something that are here to stay, no matter what we can do, there's there's always going to be a way that people get in, but the key there is trying to eliminate as much as possible that opportunity for a breach. Now the materiality question that you ask is being approached completely differently now, because of the SEC rules, the new rules that came out? Basically, in our context, it's really, you know, what is the biggest financial impact to the organization? What will shut an organization down? And then there's many implications to that materiality in terms of what that financial impact is whether it's loss of data that's being ransomed, whether it's brand reputation, whether it's insurance costs, and a whole plethora of other things that add up to what is material.
John Feezell 02:29
When we talk about cyber breach, and specifically, the SEC declined to separately define cybersecurity even itself. What is cybersecurity? Their view is that, you know, even the industry has different expectations of what that is. And when we ask somebody, what's a cyber breach, they might not think about a data center in Florida that suffers a hurricane, there's going to be even a plethora of understandings when you say that word cyber breach. And so I think we need to take a holistic view towards that. Also, with regards to materiality, I think there's something informative here regarding intent of the SEC. So the intent, the reason they brought this to the table and brought it to the surface, is really for the idea of the viewpoint of an investor, because that's what they're managing. And so kind of some guidelines there that I'm discerning from the prior definitions of materiality, it would be at an event, an action that has a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or when it significantly alters the total mix of information made available. But that definition, materiality is not spelled out. It is in the eye of the beholder, I guess, with each company that approaches this compliance regulation. What is material to you? How do you define it? How you decide internally to define what is material? Can you defend that? And so decompose it, defend it, so that when - and if - the SEC comes and says, 'Tell me how you calculated that' you're ready with an answer that you're willing - that's a hill you're willing to die on.
Tom Rourke 04:20
That's really interesting, actually, John, and my own background is very, very many years ago, it was in insurance and there's this phrase about, you know, lots of material facts and material factors, what a prudent underwriter would take into consideration when either accepting or declining are raising a risk, right? And it does remind me that that in other areas of risk, there are well-established professions, accounting guidelines, rules for the reporting of data and so on. So does that give you like a great deal of maturity in the ecosystem around the assessment, understanding, reporting and management of risk? A positive interpretation is all those accountants and financial people that just jump on this as the latest risks they need to consider? Or is it a situation where actually the SEC is looking to reach deeply into organizations and start talking to their techie people, for example, or CISO. How does this differ from earlier experiences of understanding and reporting risk to the SEC?
John Feezell 05:19
Well, I think I think you've put your finger on something very key there, Tom, that this is not just yet another regulation; there's an intent behind this. And the intent is to foster that deeper conversation. Approaching this is a team sport - it must be a team sport - it cannot be just one more check on a checklist. And it cannot be the cyber folks and the CISO off trying to battle this and frame it; it must be a collaborative effort across all of the disciplines within the company.
Greg Spicer 05:57
Some ways I will say too, that these rules, ultimately will benefit a CISO, right? They're scary right now. But once they get into a process of doing things and being able to determine what they consider materiality is going to be critical. And if you can show due diligence and due care, in terms of what you're doing in your cybersecurity protection, and posture, that's going to go a long way to defending yourself if something does happen. And hopefully, by doing this type of process, whether it's using tools like ours, to look at an assessment standpoint, and then quantify that data, and compare that to industry standards, and so forth. As long as you can show, there's a process in place that's going to help you immensely, not only in the defense of your process, but also just in building a better cybersecurity program.
Tom Rourke 06:45
So the requirement to report a material incident within four working days, is that a public disclosure or is that cannot be done on a confidential basis to the SEC?
John Feezell 06:54
It is public, I believe, and the timer starts at the decision of materiality, not at the breach.
Tom Rourke 07:02
I'm curious as to whether that actually sets up a set of circumstances where people are going to be very, very actively trying to downplay the materiality of an individual incident. So as they can prevent that clock from starting too soon?
Greg Spicer 07:15
Yeah, I mean, that's the big challenge to the big statement was that's just too fast. How can we possibly go through that process in four days to understand, when that breach happens, what's the materiality? But we have to determine it. But what you're saying, John, that gives them leeway, because they have to determine whether it's material, and then once they determine it, but I think that's pretty vague.
John Feezell 07:38
It is vague. And I think the SEC put it as vague, they did not define, you have two weeks to determine materiality, it has to be reasonable. So again, the folks that are used to swimming in interpretation of those types of words in relation to the federal government, those people need to be part of that team, so that they can help the company interpret what is a reasonable amount of time. And that will certainly be informed by the cyber folks in the CISO and the CIO. But whenever you assess something like that, you have to think of the defensibility of it. So if somebody challenges me, 'I say that you are not reasonable in this case,' 'Well, I say that I was, here's why,' you have to have those arguments kind of prepackaged, as you approach that.
Tom Rourke 08:23
It definitely strikes me that you know, the situations that might arise where I have to disclose something publicly, in a field where actually perhaps investor understanding is not actually particularly sophisticated. So you know, I imagine that we have long histories of investors getting their heads around when I disclose that something has happened, like an officer of the company is leaving, or we've uncovered a scandal or we've got some position regard to debt and so on. I imagine there's an issue here, where if I report on a major cyber incident that investors perhaps just don't fully understand the potential implications of it that that actually could create quite significant impacts on the value of my company, if I prematurely disclose that to an investor base that does not fully understand these risks in the way that they might understand other financial risks.
John Feezell 09:11
I think the guidance from the SEC, although it's opaque in some aspects, it actually allows for that exact thing, Tom. There's basically two parts to what I want you to expose publicly here about this event that you have now deemed as material and relevant to this reasonable shareholder. And the first line item is, 'what are the material aspects? what happened?' You need to explain what happened. And then the second piece of this is the material impacts or reasonably likely material impacts of the incident. So you might say, this is going to have a negative impact on our earnings, or it's going to stop this big consolidation effort that we were trying to do that was part of our, you know what we've shared with our stockholders. And that's a qualitative sense of the actual impact. So now we're joining those dots for the investor. Here's the thing that happened, here's how it's going to touch us in our business context. And we estimate that this will cost us in a range between $100 and $150 million. And the idea of that is, then you present the shareholder a full package: here's what happened, here's how it's going to touch us in a business context, how it matters to us, and thus matters to you.
Greg Spicer 10:31
It's a big shift, right? Looking at cybersecurity, for quite some time, it's been really just controls based. And the CISO, when they get their quarterly meeting with the board will go in and talk about, well, we have these controls, and we have these controls. And we have this much CrowdStrike endpoint protection, and our firewall does this and from what we hear in talking to customers and clients is that the eyes just glaze over, you know, the board, they don't they don't understand that they nor do they care. But when you start talking about the financial impact of events - but what's really important - what John and I focus on with customers, is the idea of, 'well, let's prepare, let's find out what your biggest risks are.' If you can prepare yourselves, once you walk them through that type of process of here's where we are, here's where we should be based on the biggest risks, let's make improvements on those controls specifically to reduce that risk and reduce the financial impact of that risk.
Tom Rourke 11:29
Given that we have a global audience for for The Progress Report, I'm curious, are other regulators in other markets already active on this? Or are they too waiting to see how this plays out in the US and and what the response to the SEC's position is before they take their own positions?
John Feezell 11:46
I think the current SEC rulings are going to provide those guidelines. And that's another great topic is who needs to pay attention to this? Is it just US companies that are traded on the stock exchange? I think it's going to provide guidelines, and there is some waiting to see how is this going to be received? How is it going to be activated? And what result does it have? Let's craft our local or government, country-wide assessments along the same way?
Tom Rourke 12:18
I mean, the other question I had again, I'm curious as to what are the things that might accelerate the pace here, my thought, for example, was activist investors who use the signal of the SEC to sort of also shaped their position as they look at particular companies, and kind of look for better strategies as part of how they challenge the management team at a company. Is there any evidence of that kind of thing happening? Or?
Greg Spicer 12:41
My thought on that is I don't think so. And I may be wrong, but not I don't hear that from folks that I talk to around the space. And the reason is, again, is because the cybersecurity when you look at it in its state, it's very complex. I think your common investor, and quite frankly, even the board doesn't get all of what cybersecurity is. But once we start tying it to what it's going to do to the organization, what we read in the news mainly is about what happened, right, and who did what and who we suspected the bad things. But once you start talking about it in terms of dollar amounts, and how it impacted the organization, and also how it impacted people: people's personal information, and different aspects of how it affects everyday people that might engage with that organization, whatever it is, whatever that company does. The more that that gets disclosed publicly, the more there'll be an outcry for, 'hey, we want to understand this better.' But at this stage, I don't think the investors are thinking that far ahead. They just want - I would assume - want their dividend and want a good return on their investment.
Tom Rourke 13:52
So in terms of advising corporations that are at an early stage of getting their heads around this, what is the advice that you would give to those companies as they begin their preparations, and begin their preparations in a way that is kind of sensible, they want to invest an appropriate level, they want to have an appropriate level of transparency and control, what represents key best practices that we could share?
John Feezell 14:15
I have some ideas on that on how to approach that from the cyber folks I think there needs to be an understanding that your heritage of talking about your risk posture with red, yellow, green, and high, medium and low - while it's been okay up to this point, and and I'm not implying that you need to abandon that completely - but you need to find the Rosetta Stone that will allow you to have those risk conversations with the other pieces of the business with the chief operating officer. And he doesn't talk about risk in red, yellow, green. And so when you bring that to them, there's going to be a disconnect. And so for the cyber teams, I recommend that that you begin to embrace cyber risk quantification. And that you use open standards to do that, you're going to have to have those conversations, you're part of that team. And you have to be able to bring your part to the table in a usable consumable way, by the other members of the C organization and the board that are going to have to make these materiality decisions. You've got to do your part. It's not on your shoulders, but part of it is and you've got to bring that.
Tom Rourke 15:32
I'm interested in when you said there about embracing open standards. Are there clear leaders emerging in terms of the people are looking to define those? I mean, obviously, again, if you go back to the financial world, we have generations of people developing standard accounting practices and so on. Who's taking a lead? Or Is anyone taking a lead and the definition of of what those open standards are in this context?
Greg Spicer 15:53
The way we see it from a technology standpoint company, there's products and ways that people do it, maybe on their own, technology providers on their own, quote, unquote, and one of the challenges is with that type of technology or their algorithms, it's "a black box", if you will, people feel like, 'Hey, we're buying this tool, but what's really quantifying it?' I'm heading out next week to Europe to speak at the FAIR Institute. And FAIR is the factor of analysis of information risk. And The Open Group, which we're probably all familiar with, has adopted that as the methodology that's standard for doing risk quantification for cybersecurity and that's built into our application. So we have some automation, where people can run quantification just from their qualitative assessments, but they can rest assured behind the scenes, it's the FAIR ontology that we're using. And John is obviously a FAIR expert.
John Feezell 16:52
Well, thank you. And I agree wholeheartedly, I've made a couple of comments along the way, about defensibility. And pre building that into your arguments. And when you begin to speak at this higher level, and if you are approaching this second aspect, which is the qualitative and the quantitative material impact that you're going to disclose, there has to be defensibility. And if you choose to leverage a blackbox type of a one-off algorithm, in order to quantify that risk, that is certainly your choice. But you need to understand that you're going to be hard pressed. If that is challenged, can you defend it? And the idea of an open standard - and to answer your question as well, Tom, there is one, there can be only one. And right now that one is the FAIR ontology - it's managed - the open, fair standard is managed under The Open Group. But also the FAIR Institute is promoting that there's lots of information there. So this is an open standard, you could go download it and understand it right now, today. That's a key thing in defensibility. It's based on sound statistical analysis, that has a heritage and foundation. For centuries, we've been insuring wooden sailing ships and things like that. This is the heritage of the FAIR model. And that's why it's the place we recommend for you to go for that CRQ piece.
Tom Rourke 18:26
As with The Progress Report, we're always looking to conclude on you know, part of the messages in terms of what progress might look like in a particular field. And if I could maybe invite both of you to give me your top two or three recommendations to organizational leaders as they consider this issue about how they would prepare for or progress, their organization's posture.
Greg Spicer 18:47
Everything we're talking about today is is something that can lead to progress, right? I mean, I think that it really depends on where the organization is. We have customers that are extremely fluent in this risk quantification; they've been doing it for years. And they feel very confident in that, though the majority of of organizations out there and I'm not always talking about, you know, the $70 billion company, but I'm talking about the $1 billion company, or the $800 million company, or the $5 billion company, they haven't thought about it this way, right? These CISOs, who we respect so immensely, are under so much pressure and time and they're short staffed and all those types of things. So they're just trying to keep their head above water as it relates to keeping a bad guy out. But what we're trying to do - I think progress would be is that they start to look at cybersecurity and control from a different perspective. And that's not just about like I said earlier, the technology that you have the processes that you have, but it's how can I get more budget for example, if you can go in and start talking about your industry, the threats to your industry, the motivations behind it, those threats and, and then what that impact looks like to our organization currently, then that risk drops down or that impact, which is financial impact drops down from a $13 million exposure down to a $6 million exposure. And if they can start talking in those terms, I just assumed that, that would make life so much easier for them, for the organization, from a defensibility standpoint. And then ultimately, the most important thing in all of this is to thwart the cybersecurity attack that would would have happened if they didn't do what they set out to do.
Tom Rourke 20:37
Thank you, Greg. And John, your top two to three recommendations for the future.
John Feezell 20:43
Progress to me looks like three things in this area. Number one would be create a team: don't wait, do it now. This needs to be part of your resiliency play. We talk in the industry now about resiliency. And we're allowed to say the quiet part out loud now, which it's not, if you're going to be breached, it's when you're breached. And so that resiliency play needs to have a team that's addressing this. The second point is, you need to bring cyber expertise to your board, either in the form of a board member who you designate to be the point person on that, or some advisory body that comes in or individual to advise the board. I've talked about building in defensibility, that's going to be part of your defensibility argument, if you're ever challenged, that you have put this in place. And the third thing that I would recommend and what progress looks like is, if you're thinking that you're on the sidelines, if you are a non US company, or non publicly traded company, and you think this doesn't apply to you, this is a game that you are going to be required to come to, a party that you're going to be required to come to, because in the ruling, third party is mentioned 40 times. This is going to roll down to you, and you need to start thinking about it right now. And progress would be building a team to address this, and then adding the cyber expertise to your board.
Tom Rourke 22:15
Greg, John, thank you for a fascinating discussion. I think what struck me as we went through the conversation, is that this is an issue that affects not just the CISO. I mean, while the SEC may have initiated these regulations to try and drive a change in the way in which companies take this issue seriously and respond, it's clear that that response involves more than just the technologies required to defend an organization, but also the professionals needed to understand the implications of these risks for the entirety of the organization. And what that might mean for any future investor, what that might mean for their operations globally. And referring to globally, I think it seems clear that while the SEC may have been a first mover in this area, it is highly likely that other regulators globally are paying close attention and are going to follow very soon. As is often the case on The Progress Report, this sounds like a topic that is evolving and we may well yet return to in the future. And speaking of returning in the future, all I have to say is that if you've enjoyed today's podcast, please do like, share, and subscribe to The Progress Report. Thank you for listening.