CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules

Most companies still cant determine whether a breach is material within the four days mandated by the SEC, skewing incident response.

About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions.
In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to an incident — in some cases, they proposed to take over the incident-response process or wanted the third-party provider to make a determination within hours of whether a breach could be material, says Cobb, who manages cybersecurity for risk intelligence firm SecurityScorecard. The company has even seen similar contract language proposed by its own customers, he says.
The impetus for the changes? The Securities and Exchange Commissions ruling on
cybersecurity risk management and incident disclosure
, which went into effect last December, and which is changing how companies handle incident response along with their third-party suppliers, he says.
[P]ublic companies are putting within contractual agreements that if one of their suppliers has a breach, they essentially give the rights to the public company to take over the incident response process, Cobb says. Its scary for a for-profit organization [and] its a really dangerous slope to go down.
The impact on private third-party providers is just one way that enterprises are attempting to change their operations to comply with the SECs mandate. Already
chief information security officers worry
that they will be
held to account for any mistakes
in determining the materiality of a breach and point to the
prosecution of SolarWinds CISO
as representing the personal risk of the position. Companies could
face millions of dollars in fines
if they fail to notify the SEC of a material breach.
Overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a
survey published on May 16
by cloud-security firm VikingCloud.
The largest public companies already have disclosure committees to determine whether a variety of events — from severe weather to economic changes and geopolitical unrest — might have a material impact. Adding cybersecurity incidents to their purview requires that various groups — IT, cybersecurity, legal, and business — be brought together and be presented with the necessary information to make a determination, says Naj Adib, principal for cyber and strategic risk at consultancy Deloitte.
The necessary level of effort is really about bringing those pieces together and having that orchestration between various parts of the organization, he says. Organizations [need] to say, for these risk domains and these risk factors, what would constitute something material to me.
CISOs can use tabletop exercises to help companies create the right process for determining materiality and to collect the evidence needed to sign off on a disclosure within the four-day window.
Companies that cannot determine the impact of an incident with certainty could result in preemptive disclosure of a breach to satisfy potential notification requirements. Such concerns led financial-services giant Prudential to
proactively file a disclosure statement with the SEC
in February, despite the fact that the company had only started its investigation and had no indication that the breach would have a material impact.
While larger companies have focused on the issue for over a year — even before the rule was finalized — smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers. Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.
Theres a great disparity from one company to the other ... and between incidents, he says. Initially, you may have decided that [the breach] may not be material at that point in time, but youre going to have to continue to assess the damage and see if its risen to the level of materiality.
So far, there have not been a large volume of filings, so there is not enough data to pick out a trend, he says.
Smaller companies — and third-party providers — are likely less prepared and a worry for their publicly-traded clients.
Companies with smaller cybersecurity teams — where analysts also configure security controls — can run afoul of regulations due to the human element. In a survey of security teams, for example, VikingCloud found that four-in-ten cybersecurity professionals have not reported an incident for fear of losing their jobs.
The reason behind the fear? The worker who triaged the incident is likely the same worker who configured the security controls, says Jon Marler, a cybersecurity evangelist at VikingCloud.
They have a really thin small team, and because the team is so small, you dont have that separation of duties, he says. I think a lot of the way to solve this culturally is to set up things in place so that the person who finds a problem isnt the person who gets fired for finding it. You dont want to punish people for success.
Security analysts are not the only ones feeling the pressure, of course. While SecurityScorecards Cobb feels he has the support needed to create a strong cybersecurity process to comply with customers disclosure needs, he also believes he is in the minority. For the most part, CISOs are being asked to take responsibility for a determination of materiality when they often have neither the authority to make recommendations nor the budget to implement them, he says.
The CISOs are the tip of the spear — the leading edge facing the legal repercussions of breach response, he says.
CISOs are becoming kind of expendable, if you will, he says. You put one down and bring another one in and start the whole process over again until the [next] breach happens. For the cybersecurity industry, thats a really bad sign on the horizon of where we may be headed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules