For some time now, public companies in the United States have been on notice that the Securities and Exchange Commission (SEC) is tightening down on the reporting of security incidents. Now that the compliance deadlines are here, it seems a bit more real. As a complement to my recent webinar SEC Cybersecurity Ruling: Application security + incident response, this piece serves as a recap and a checklist on what businesses – both public and private – need to be focusing on now that the SEC disclosure rules are here.
Common Application Security Challenge
Looking at the SEC incident disclosure requirements through the lens of application security, there’s quite a bit at play. Given the all-too-common challenges associated with lack of application security oversight combined with the complexity of the average application environment, there’s a lot to consider.
I often see little to no web/application testing across the entire application ecosystem. That’s bad in and of itself but it gets worse. There’s often a lack of security and especially incident response integration within the software development lifecycle. Of course, there’s the false sense of security that paperwork such as security policies and incident response plans brings about. Finally, not having the right people on board combined with the reality of users, vendors, and other parties dictating how things work in and around application security, there is a very convincing case that application security needs to be a huge part of the SEC incident disclosure discussion. After all, many enterprise applications are “where the money is”.
Your application security efforts should fall under the umbrella of your incident response and overall business continuity plans. Still, I often see application security fully excluded from these initiatives which typically leads to negative outcomes.
The enforcement teeth are Starting to Show
Like many other government and industry regulations we’ve seen over the past two decades, the SEC disclosure requirements are really nothing new. It’s all about common sense security practices and doing what’s right for stakeholders – in the case of the SEC requirements, stockholders in particular. We’ve seen what has and has not happened in terms of Gramm Leach Bliley and HIPAA enforcement. PCI DSS enforcement has been a bit more stringent. However, this SEC ruling has some serious teeth. For example, take the story of Tim Brown – CISO of embattled SolarWinds – was recently charged by the SEC with defrauding investors stemming from his company’s December 2020 attack. The action being taken by the SEC, these charges beg you the following two questions:
- Will this create a chilling effect on the CISO role by people not wanting to put themselves in the situation of being personally liable for security incidents?
My quick take, possibly so in the short term but I and I know many others are hoping for more positive outcomes in the long term.
- Will this (finally) provide CISOs with the buy-in, budget, respect, and authority needed so they can finally start gaining traction and getting things done?
I believe so, at least over the long term. This has been in the making for over a decade. It might get worse before it gets better but I do believe that we are going to see business executives, legal counsel, and other stakeholders start taking the CISO role a bit more seriously as they should have been doing all along.
- Who owns the risk once an incident occurs, is it the CISO, executive management, or the board?
This is a tricky situation, but the reality is a CISO should be seen as an advisor on information security. Executive management and the board ultimately must answer to what’s going on.
Top things you can do right now to get your business on board
The good news is with these SEC requirements, nothing is new. The bad news is this SEC ruling is quite prescriptive and very aggressive in terms of timing. In addition to describing their efforts around risk management and security oversight, public companies must now disclose material security incidents within four days on an 8-K report. Similarly, Foreign Public Entities (FPIs) – businesses that are incorporated outside of the United States – must also:
- Describe the board’s oversight of risks from cybersecurity threats.
- Describe management’s role in assessing and managing material risks from cybersecurity threats.
- Furnish Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
So, are you doing the right things to move forward with these SEC requirements? Consider the following to be a minimum set of steps that must be taken to ensure you’re doing the right things:
- Work with legal counsel on how you will demonstrate compliance in the event of an incident.
- Understand what “material” truly means to your business and apply it to your specific incident response efforts.
- Ensure that you have gotten a handle on the information security basics to minimize the low hanging fruit that keeps getting so many businesses into trouble including secure coding practices and overall software development lifecycle, vulnerability and patch management, and overall visibility within your network. The key is to know what’s where and understand how it’s at risk at any given time.
- Building out and properly managing your incident response efforts.
Next steps for you and your business
In the context of application security and incident response, you need to be prepared to answer the following questions as it relates to the SEC incident disclosure requirements:
- What are our specific requirements?
- Are we focusing on all the right things and being intentional with our efforts?
- How are we meeting the SEC requirements?
- Outside of security, legal, executive management and the board, who else may need to be involved?
- What else can be done at the board level to ensure compliance? This might involve metrics, a security scorecard, and someone internal who’s not only evangelizing security but appropriately leading those efforts. The focal point for CISOs should be establishing and maintaining relationships and educating all the right people not just today in the context of the SEC disclosure requirements but moving forward with the organization’s overall information security program.
Moving forward: more of the same or a new security reality?
Only time will tell how all of this will play out. With the SolarWinds situation, the precedent has been set. Now, it’s up to what happens in the case with Tim Brown to see how future enforcement might play out. As we’ve witnessed, especially in recent years, the U.S. federal government is going to do what it believes is necessary to accomplish its goals so it’s best to be prepared.
One of the best things you can do is to expect the unexpected. Security incidents have already happened, and they’re going to continue happening. It’s not whether you can stop those incidents but rather how you respond to them when they arise that counts. As Jim Rohn once said, “failure is not a single cataclysmic event. You don’t fail overnight. Instead, failure is a few errors in judgment, repeated every day.” If you approach your application security and incident response efforts with this in mind, you can get – and stay – ahead of the curve.
As the security leader or at least someone involved in the overall security posture of your organization, all eyes are going to be on you when incidents occur. Not that they should be because executive management and the board ultimately need to have the final involvement and word. Still, people will be watching to see how you respond. Why not go ahead and prepare for the worst, in advance on your terms, rather than trying to wing it once the going gets tough and regulators and lawyers get involved?
It seems that now’s the time to press forward with fine-tuning your information security program – especially your incident response efforts and including application security. These things aren’t going to get any easier. It makes sense to go ahead and put in the time and effort now to get (and stay) on the right side of history so that incidents are not so impactful when they arise.