About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions.
In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to an incident — in some cases, they proposed to take over the incident-response process or wanted the third-party provider to make a determination within hours of whether a breach could be material, says Cobb, who manages cybersecurity for risk intelligence firm SecurityScorecard. The company has even seen similar contract language proposed by its own customers, he says.
The impetus for the changes? The Securities and Exchange Commission’s ruling on cybersecurity risk management and incident disclosure, which went into effect last December, and which is changing how companies handle incident response along with their third-party suppliers, he says.
“[P]ublic companies are putting within contractual agreements that if one of their suppliers has a breach, they essentially give the rights to the public company to take over the incident response process,” Cobb says. “It’s scary for a for-profit organization [and] it’s a really dangerous slope to go down.”
The impact on private third-party providers is just one way that enterprises are attempting to change their operations to comply with the SEC’s mandate. Already chief information security officers worry that they will be held to account for any mistakes in determining the materiality of a breach and point to the prosecution of SolarWinds’ CISO as representing the personal risk of the position. Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach.
Overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud-security firm VikingCloud.
Large Public Firms Already Have the Tools
The largest public companies already have disclosure committees to determine whether a variety of events — from severe weather to economic changes and geopolitical unrest — might have a material impact. Adding cybersecurity incidents to their purview requires that various groups — IT, cybersecurity, legal, and business — be brought together and be presented with the necessary information to make a determination, says Naj Adib, principal for cyber and strategic risk at consultancy Deloitte.
“The necessary level of effort is really about bringing those pieces together and having that orchestration between various parts of the organization,” he says. “Organizations [need] to say, for these risk domains and these risk factors, what would constitute something material to me.”
CISOs can use tabletop exercises to help companies create the right process for determining materiality and to collect the evidence needed to sign off on a disclosure within the four-day window.
Companies that cannot determine the impact of an incident with certainty could result in preemptive disclosure of a breach to satisfy potential notification requirements. Such concerns led financial-services giant Prudential to proactively file a disclosure statement with the SEC in February, despite the fact that the company had only started its investigation and had no indication that the breach would have a material impact.
Every Company’s Response Differs
While larger companies have focused on the issue for over a year — even before the rule was finalized — smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers. Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.
“There’s a great disparity from one company to the other … and between incidents,” he says. “Initially, you may have decided that [the breach] may not be material at that point in time, but you’re going to have to continue to assess the damage and see if it’s risen to the level of materiality.”
So far, there have not been a large volume of filings, so there is not enough data to pick out a trend, he says.
Failure to Report
Smaller companies — and third-party providers — are likely less prepared and a worry for their publicly-traded clients.
Companies with smaller cybersecurity teams — where analysts also configure security controls — can run afoul of regulations due to the human element. In a survey of security teams, for example, VikingCloud found that four-in-ten cybersecurity professionals have not reported an incident for fear of losing their jobs.
The reason behind the fear? The worker who triaged the incident is likely the same worker who configured the security controls, says Jon Marler, a cybersecurity evangelist at VikingCloud.
“They have a really thin small team, and because the team is so small, you don’t have that separation of duties,” he says. “I think a lot of the way to solve this culturally is to set up things in place so that the person who finds a problem isn’t the person who gets fired for finding it. You don’t want to punish people for success.”
CISOs: “Tip of the Spear”
Security analysts are not the only ones feeling the pressure, of course. While SecurityScorecard’s Cobb feels he has the support needed to create a strong cybersecurity process to comply with customers’ disclosure needs, he also believes he is in the minority. For the most part, CISOs are being asked to take responsibility for a determination of materiality when they often have neither the authority to make recommendations nor the budget to implement them, he says.
The CISOs are “the tip of the spear” — the leading edge facing the legal repercussions of breach response, he says.
“CISOs are becoming kind of expendable, if you will,” he says. “You put one down and bring another one in and start the whole process over again until the [next] breach happens. For the cybersecurity industry, that’s a really bad sign on the horizon of where we may be headed.”
Source: www.darkreading.com