SAN FRANCISCO — With the upcoming Securities and Exchange Commission requirements for companies to report security incidents to the Cybersecurity Infrastructure Security Agency and relevant stakeholders, just how difficult will it be for entities to meet these mandates and improve transparency?
Very difficult given that transparency in breach disclosures in its current state is a reactive posture for most, and far from commonplace, explained Jamil Farshchi, executive vice president and CISO of Equifax, during an April 24 session at the RSA Conference.
Farschi joined Equifax following the fallout of the company’s massive 2017 data breach that led to the compromise of the personal data tied to 182 million U.S. consumers and credit card data for 209,000 individuals. The incident led to multiple congressional hearings, the early retirement of chief leadership, and even regulatory and legislative changes.
It also severely damaged the company’s reputation, which Farschi has been actively working to improve over his tenure. The effort has led to a major jump in transparency for the company, in ways most entities would not consider.
“I'm not going to toot my own horn,” said Farschi. In the wake of the breach, and for the last three years, Equifax has “released an annual security report, which includes a whole bevy of metrics and data points around the interests of our programs.”
Click here for all of SC Media's coverage from the RSA Conference 2023
The reports contain data points that make Farschi “uncomfortable sometimes to release,” but it’s imperative for transparency. The effort would not have been possible if not for the CEO, who made it a priority for Equifax.
A handful of other companies have made similar efforts, including HP, which has released similar reports in recent years. However, most companies are stuck in the reactive phase, he added.
Not only that, many of these disclosures are lacking any real valuable language that would explain the reported security incident, said Scott Giordano, vice president of corporate privacy and general counsel at Spirion.
“I've read some disclosures that are a disaster, they don't tell you anything useful.” said Giordano. “And if there's nothing useful in them, there's nothing useful for capital markets.”
As regulators continue the shift in enforcement and attackers continue to evolve, companies must consider the nature and integrity of disclosures. The SEC, in particular, intends to require companies to report, not just to CISA but also to investors. In its current state, many disclosures are more like theater and without meaningful insights for investors.
That’s what needs to change, explained Giordano.
On the whole, companies have made great strides in creating more visibility into the attacks they’re facing and the risks. The very process of creating disclosures should be seen as a positive step, as the executive team would have to review those elements.
For Farschi, the problem lies in whether it was issued in “good faith.”
The ongoing changes will “solidify cyber as a prominent issue for investors and for boards of directors, and for bankers,” said Farschi. “It's pushing us down this path where security is going to be quite meaningful to all organizations, it's going to be without a doubt a more high-level topic.”
And in time, it will help security leaders better protect their organizations more effectively, he added. “The integrity of disclosures matters.”
“The poster child” for these needed changes is the banking sector, explained Lesley Ritter, Moody’s Investors Services analyst and associate. The major breaches reported in the banking sector in the early 2010s have resulted in more disclosures and transparency, as a result of broader regulation.
The financial sector has, in turn, broadened the discourse around cyber. Ritter noted that their recent research has shown a “fair amount of consistency” and improvement in the number of disclosures for the industry in the wake of regulation — regardless of the size of the organization.
In addition to the 72-hour reporting requirements, the SEC will also expect companies to “anticipate and mitigate cyber risk,” Giordano added. “This is a game changer in and of itself, because now you're looking inside the company and saying, ‘What kind of policies and procedures do we have to be able to mitigate these attacks, to be able to defend against them?’”
In short, companies continuing to view cyber as an afterthought are in for a rude awakening.
“Buckle up,” said Farschi. “The regulators are upset, and they’ve seen where this is going. This is a different game. We all have to step up.”
