We’re now in 2024, and with it comes a new set of challenges that today’s security leaders must face. High on the list: the Security and Exchange Commission’s (SECs) new cyber rules that went into effect Dec. 18 that require public companies to report a “material” breach within four days.
Despite being initially announced last July, security teams say achieving compliance isn’t clear cut, leaving many organizations grappling with how to do so effectively.
Many security organizations say they find determining materiality thresholds a big challenge. Many point out that quantifying what makes an incident “material” is not always black and white.
It’s difficult to standardize because materiality thresholds vary from company to company. An incident resulting in $X financial loss might qualify as material for one type of company, but not another. Without a concrete definition of a “material” impact on operations, revenues, or stock price, security pros are concerned that the rule can feel somewhat arbitrary and may lead to some material breaches going unreported.
Companies need to make their own determination around what’s considered material, and they should make it the first step that they take in their efforts to comply with the SEC cyber rule. Executives should take a risk management approach and examine the severity of loss their organization may experience as the result of an incident. This includes both direct losses — like financial loss due to paying a fake invoice or having to pay a fine — and indirect losses, including repercussions from damage to brand reputation.
This will require close collaboration between CISOs and CFOs, to better understand how to balance the cost of addressing cyber risk levels and the cost of the potential consequences of not addressing them. CFOs and CISOs should learn to speak each other’s languages—CISOs need to appeal to the strategic interests of the CFO and communicate how company decisions can create risk, but this goes both ways. CFOs also need to understand cyber risk and what risks may impact financial statements and the materiality of reporting breaches.
The need for timely incident reporting
Organizations are also struggling with the stipulated time frame for reporting material incidents. The rule assumes that breached organizations are aware of a material compromise and that reporting it within the required four days from discovery is timely enough. But in many cases, organizations won’t know the extent of their material damages until long after the incident has occurred.
Companies often experience breaches where an attacker was already inside their corporate network — sometimes for weeks or months — before they identified the attack, such as the SolarWinds attack. We also recently saw this happen with the hack on U.S. government email accounts through a Microsoft vulnerability, where the attackers were lurking within those accounts for as long as a month before customers noticed anomalous mail activity.
Preventing instances of undiscovered vulnerabilities or account takeovers requires a strong security foundation with a layered approach. Teams can start with steps that can help prevent infiltration, like air-tight multi-factor authentication, coupled with a strong vulnerability and application security program.
From there, companies need to add layer defenses that improve detection in cases where an attacker does manage to successfully compromise an account. Cybercriminals have gotten very good at flying under the radar once inside, and that’s precisely what makes these kinds of breaches so difficult to report against a time-based deadline. Having an anomaly detection engine as part of the security stack can help shorten dwell time if an account gets compromised, if not prevent it altogether.
Increased disclosures will help everyone concerned with cybersecurity, and companies have a duty to be transparent with their customers and investors. While there are still some uncertainties around the practicalities of complying with the SEC’s new cyber rules, there are certain steps that security leaders can take to help improve their compliance posture — steps that reflect best practices for cybersecurity overall, ones that teams should exercise regardless of the SEC’s new rule.
Mike Britton, chief information security officer, Abnormal Security
