The Complex Landscapes: SEC Reporting Regulations and Security Cases

In the ever-evolving world of cybersecurity, recent developments in SEC reporting regulations have added an extra layer of complexity for companies. This blog written by Daphna Singer, CMO at Rampart AI™ explores the key aspects of these regulations, shedding light on their significance and the potential outcomes of ongoing cases with insight from an expert in the field VP and CISO at Zscaler, Sam Curry, who is a Forbes contributor, holds 17 active patents in cybersecurity and a master's degree in counterterrorism and sits on two boards of directors. In addition, Mr. Curry teaches courses at Harvard (online), Wentworth Technology Institute, and Nichols College.

The Arrival of SEC Reporting Regulations

The introduction of SEC reporting regulations brought varied perspectives. The concept of materiality took center stage, emphasizing the SEC's position on informing shareholders about material events affecting companies. While materiality concerning cybersecurity wasn't explicitly defined before, the new regulations added specificity, ensuring no avenue for companies to bypass reporting significant incidents.

In an SEC Press release in 2023, SEC Chair Gary Gensler said “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”

This quote illuminates the wide breadth that "materiality" encompasses.

Unpacking the SEC Reporting Landscape

As the regulations took effect, different views emerged. Some viewed it as an essential step to enhance cybersecurity communication between CISOs and the business, closing the longstanding gap. On the other hand, skeptics, saw it as an unnecessary burden, leading to increased expenses and more board meetings.

MGM's Proactive Approach: A Glimpse into Compliance

In October 2023 MGM's preemptive adoption of the regulations reporting requirements set a precedent. By treating a cybersecurity incident as if the upcoming rules were already in place, MGM showcased a proactive approach to compliance, signaling a potential shift in reporting behavior across the industry. 

The Prosecution of Tim Brown and the SolarWinds Saga

Meanwhile, the recent legal actions against Tim Brown, SolarWinds' Chief Information Security Officer, opened a new chapter.

"Everyone in the industry wants to know what do we do in the wake of Tim's case?" Curry said.  "We're waiting for the jurisprudence. We're waiting for the evidence and we should be waiting for the cold light of day and due process to be followed."

Unlike traditional SEC regulatory actions, this case involves allegations that fall into criminal charges, notably fraud and internal control failures. The intricacies of the case prompt questions about responsible risk management and the accountability of executives beyond the CISO.

The Need for Nuanced Risk Assessment

Mr. Curry explains that drawing parallels between Tim Brown's case and past incidents, such as Uber's Joe Sullivan, can be misleading. 

"As the industry awaits the outcomes of ongoing cases and the evolution of SEC regulations, a measured and informed approach to risk management becomes imperative," Curry said. "Practitioners must stay abreast of emerging best practices, learn from legal precedents, and continue fostering a holistic understanding of cybersecurity's intersection with business objectives."

The distinct nature of each case underscores the importance of nuanced risk assessment. 

Security Leverage at the Board Level

Next up, increased security awareness at the board level... something Mr.Curry said has been anticipated for a considerable time. While some expected a direct infusion of security professionals into boards, the more likely scenario is an inclination toward candidates with security expertise when all else is equal.

This shift emphasizes the growing importance of consulting services, especially in cybersecurity advice, sought by boards and C-level executives.

Navigating the Future

Understanding the line between responsible and irresponsible risk-taking remains a critical aspect for cybersecurity practitioners.

"Draw a line in your risk registry and say, above this line, I've got to get that stuff. Below that line, think in terms of how do I do trade-offs with the rest of the business," Curry said.

In the end, the cybersecurity landscape is continually evolving, and adapting to these changes will define the success of organizations in safeguarding their digital assets.