Preparing for SEC Cybersecurity Disclosure

Last week, I presented an argument for why the new SEC cybersecurity disclosure guidance is really a big deal for the information security community. If my prediction is right, publicly-traded companies in the U.S. are going to start facing auditor requests for more cybersecurity information by late next year. Companies need to start preparing for those requests now to prevent potential negative shareholder action in the future.

Before moving into specifics, keep in mind that the cybersecurity disclosure guidance doesn't include anything technical. In fact, the SEC specifically states that the disclosure statements do not have to describe specific security controls or provide details related to specific cybersecurity incidents or subsequent corrective actions. Again, the disclosure guidance is working to equate cyberrisks to business risks, and organizations should plan accordingly by focusing on how cybersecurity impacts the business rather than on how it impacts the IT environment.

Also, companies may need to broaden how they define a cybersecurity event. In our experience, organizations exclusively characterize hacking incidents as cybersecurity incidents. The SEC correctly takes a broader perspective by including "unintentional events" in the cybersecurity definition. Therefore, the SEC would likely consider an unplanned outage, such as what apparently hit the Research in Motion (RIM) BlackBerry network recently, as a potential disclosure-worthy event.

To begin preparing for disclosure rules, organizations should consider adopting the following recommendations:

• Integrate Cybersecurity into Risk Management Functions. Organizations should begin implementing steps to capture information security considerations in their executive-level risk management activities. For organizations with structured risk management functions, one key consideration would be to include a new metric or trigger around cybersecurity that measures the impact that cybersecurity has on defined business functions. For example, banks currently measure the impact of fraud on customer retention processes and have developed thresholds of acceptable vs. unacceptable loss due to fraud. Banks may define an associated a security metric to the same processes for identifying and controlling unusual online banking activity that could expose individual customers to uncovered losses.
• Associate Existing Security Controls to Business Risk. Developing an inventory of existing security controls and then tying those controls back to business functions will help organizations gain a better perspective of what they are investing to protect individual business risks. Organizations may also make a determination of what they would consider "common" for their industry versus what they would consider to be "extraordinary." For example, conducting specialized security training for accounting staff may be considered "common" in most industries but deploying a hardened network infrastructure to separate accounting activities from other business functions may be "extraordinary" for many sectors.
• Identify Cybersecurity Risks in Enterprise Business Processes. Reviewing business processes to determine how an adversary may misuse them to conduct an attack will empower organizations to better prioritize their cybersecurity activities. In our experience, organizations often deploy security controls in ways that the industry says are most appropriate technically but fail to properly protects the business. Understanding how business is most susceptible to cybersecurity incidents will enable organizations to better disclose the preventative actions that they have taken to mitigate the risk and will improve the ability to detect potential cybersecurity events.
• Establish a Cybersecurity Baseline Financial Model. A detailed financial baseline will assist organizations in differentiating between normal and abnormal cybersecurity expenditures. When abnormal actual and potential expenditures approach a predefined threshold based on business risk analysis activities, then the organization may deem those expenditures to be "material" for disclosure purposes. Otherwise, the expenditures may only represent an allowable deviation from the norm. Again, the organization may define this model based on what it would expect to be industry standards. For example, a financial institution may consider the actual and potential cost for responding to hacked credit card accounts to be a normal cost of doing business. However, an Electronic Health Records (EHR) organization may consider a similar attack on patient records to be significant because of the potential privacy litigation that could occur as a result.
• Reassess the Enterprise Security Program. Organizations should evaluate how well their existing security capabilities will be able to support the new disclosure guidance and then work proactively to address expertise and resource gaps. By aligning the Chief Information Security Officer (CISO) or other responsible member of the executive team to participate in business risk management activities, organizations enhance the ability to prioritize cybersecurity expenditures to support business over compliance. Also, enhancing incident reporting procedures to include actual and potential financial impacts will empower the organization to make better decisions over how to best protect business functions and respond to adversity.

Broad cybersecurity disclosure will likely represent a significant change in business culture, changing information security from what I call a "smile-and-nod" activity to an integral measurement of business health. Organizations should take care in how they proceed in transition and seek assistance before the auditors make them react in ways that may be detrimental to their business.

If you would like to comment on this or any of my other postings, you may look for it on Google+ or on LinkedIn and comment there. This helps counter SPAM and promotes intelligent discourse over anonymous rantings.