Take a virtual tourGet a demo
Blogs

SEC cyber disclosure rules: the demand for details

Good cybersecurity has always involved walking a fine line between accountability and confidentiality. How much transparency do you need to inspire trust in your defenses? How much secrecy do you need to maintain your advantage over adversaries? In today’s environment, where cybersecurity breaches have become practically inevitable for all companies, the traditional wisdom of hiding, denying, and delaying is slowly giving way to a greater recognition of the value of openness.

This shift is perhaps best reflected in the new SEC cybersecurity disclosure rules that went into effect late last year. These new rules are requiring public companies to make disclosures about the protections that they have in place and, when disaster strikes, they are obligated to disclose material cybersecurity incidents quickly (with some very rare exceptions).

These new rules have already resulted in dozens of disclosures of cybersecurity incidents, including some by big names like Microsoft, Prudential Financial, and Hewlett Packard. The rules require disclosures to detail the nature, scope, and timing of the incidents as well as the impact or reasonably likely impact of the incident. While disclosures may omit information that is not yet available, the impacted companies may be required to file amendments to these disclosures as additional details are uncovered.

In spite of this, some have already noted that disclosures made this year are noticeably light on important details required by the rules. It remains to be seen whether this trend will continue as companies become more accustomed to making these disclosures and as protocols around investigation and disclosure become more defined. There is growing anticipation around when and how the SEC will be enforcing these rules, which will provide greater clarity on what constitutes satisfactory compliance. There is also speculation that institutional shareholders may begin pressuring boards for greater transparency in these disclosures.

In the meantime, many publicly traded companies (and companies anticipating going public as the IPO market continues its gradual thaw) are looking closely at their tools and talent to consider whether they’re able to adequately assess their security posture, inform their management and boards about material cybersecurity risks, and monitor for and investigate threats to their environments. With the short timelines for disclosure and the looming demand from both regulators and investors for greater levels of detail in disclosures, CISOs will be in need of tools that offer more speed and visibility than they’ve been able to get from traditional cybersecurity tools.

Fortunately for security teams, the cybersecurity market is rife with innovation. Security professionals will need to look to the next generation of tools to thwart attackers while building confidence in the institutions that house our most sensitive data and service our everyday needs. Stairwell is leading the market in designing solutions that enable security teams to contend with the double-fronted challenge of going head-to-head with increasingly sophisticated adversaries while satisfying the information needs of the market and regulators.
Stairwell’s Run-To-Ground accelerates investigations by automatically identifying locations, sources, and variants of malware when it is flagged in an environment. With the time pressure to determine materiality of an incident “without undue delay” and then disclose the nature, scope, and timing of the incident within 4 days, waiting for an IR firm to conduct a manual investigation will inevitably leave companies scrambling, requiring one (or possibly many) amendments to a filing as the details are painstakingly uncovered over the following weeks or months. Stairwell puts this information at a user’s fingertips in a matter of minutes, giving teams back precious time to prepare a comprehensive report.

Stairwell also supports CISOs in reporting to management and boards about the efficacy of existing tools and protocols with threat reports, which can be used to produce deliverables demonstrating absence of the vulnerability-of-the-day in an environment and can be used to test the efficacy of traditional tools like EDR by searching for variants specifically designed to evade EDR detection.

The SEC’s recent guidance specified that materiality determinations must be made even if a threat has already been stopped or removed and that a series of immaterial, related incidents taking place over time may be material when considered in the aggregate. These situations are challenging for existing solutions, which work almost exclusively on a point-in-time basis and leave behind only log data, which is of limited value. Stairwell maintains an image of an environment over time and retains full copies of executable files, allowing for searching and investigating across time. This protects teams from missing out on the threat that they may not recognize today, but that later may be identified as part of an incident requiring investigation.

As the particulars around the SEC’s cyber disclosure rules become clearer in the coming years, we anticipate that adoption of cutting-edge technology will be crucial, not only to surviving in the constantly-evolving threat landscape, but also to ensuring a level of transparency that instills confidence in the institutions that we entrust with our data and invest in with our 401ks.

Background pattern