I have been honored for my contributions to The Open Group Security Forum. Scroll down the page to see details. This recognition will be replaced by another, so check in from time to time to see who else has made a difference to the information systems security body of knowledge.
Category Archives: Advocacy
Security and Exchange Commission – Statement and Guidance on Public Company Cybersecurity Disclosures
The U.S. Computer Emergency Readiness Team defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
Why this Announcement
Cybersecurity risks pose grave threats to investors, our capital markets, and our country. Companies that fall victim to successful cyber-attacks or experience other cybersecurity incidents may incur substantial costs and suffer other negative consequences.
Disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. Disclosure regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.
What the SEC Expects
The company’s financial reporting and control system are expected to provide reasonable assurance that information about the range and magnitude of the financial impacts of cybersecurity incidents and risks are disclosed, such as:
- Remediation costs
- Increased cybersecurity protection costs
- Lost Revenue
- Litigation and legal risks
- Increased insurance premiums
- Reputational damage
- Damage to competitiveness, stock price, and long-term shareholder value
How is this Accomplished
Companies are expected to maintain comprehensive policies and procedures related to cybersecurity risks and incidents, which must include appropriate and effective disclosure controls and procedures to make accurate and timely disclosures of cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences, and to avoid generic cybersecurity-related disclosure. Cybersecurity risk factor disclosure may include:
- prior cybersecurity incidents, including their severity and frequency
- the probability of the occurrence and potential magnitude of cybersecurity incidents
- adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs
- aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks
- costs associated with maintaining cybersecurity protections, including any applicable insurance coverage
- potential for reputational harm
- litigation, regulatory investigation, and remediation costs
Policies and Procedures
Companies are expected to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly. They must ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications.
How the Security Program Supports this Expectation
An organization must at least have a plan for their security program, ideally evolved to a security management system. Components of the management system should include management of risk, policy , assessments and incidents, which each play a part in meeting SEC expectations. It is key that the security program leader is the senior manager guiding disclosure decisions and certifications through the Chief Executive Officer.
- Press Release: https://www.sec.gov/news/press-release/2018-22
- Statement and Guidance: https://www.sec.gov/rules/interp/2018/33-10459.pdf
- FAIR Institute Blog https://www.fairinstitute.org/blog/the-secs-cybersecurity-guidance-the-rise-of-the-investor-in-the-discussion
- RiskLens Blog https://www.risklens.com/blog/sec-tells-public-companies-to-up-their-game-in-assessing-and-disclosing-cyber-risks
Check a box or measure results
In April, the a blog titled “
S. 536 IN THE SENATE OF THE UNITED STATES MARCH 7, 2017: To promote transparency in the oversight of cybersecurity risks at publicly traded companies.
…issue rules to require each reporting company, in the annual report submitted under 12 section 13 or section 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m and 78o(d)) or the annual proxy 14 statement submitted under section 14(a) of such Act (15 15 U.S.C. 78n(a))—
- To disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
- If no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.
The Bill is a worthwhile endeavor to improve transparency on cybersecurity security risk in publicly traded companies.
The Securities Exchange Act of 1934 identifies many responsibilities associated with governance, but no expectation of specific expertise or experience. This new requirement could conceivable stimulate proposals to add other expertise such as legal, financial, engineering, software development, and so forth. A course of action is prescribed in hopes that improved transparency of cybersecurity risk results.
The desired outcome in the Bill’s title, “…transparency in the oversight of cybersecurity risks…”, suggests that transparency of risks is the desired outcome. However, the bill fails to define how transparency of risks is to be achieved, and lacks a definition of the term “risk.” The lack of consensus among the security community on a definition of risk provides further mystery as to the desired outcome.
Rewrite the Bill to enhance existing transparency requirements for publicly traded companies. A draft is provided below:
Section 1.A Risk Factors of the Form 10-K requires that the registrant “Provide any discussion of risk factors in plain English…”. Many organization provide a title and narrative of risks that may fit in the definition of “cybersecurity.” However, the reader is not informed of the financial significance of the risk, resulting in less than transparency.
The revised Bill should define risk as probable magnitude of annual loss, and should revise Section 1.A Risk Factors of the Form 10-K to include the probable magnitude of annual loss when reporting cybersecurity risk. This would provide the desired improvement in transparency.
The FAIR Institute (http://www.fairinstitute.org/) and The Open Group – Security Forum (http://www.opengroup.org ) are available to assist NIST with terminology and risk analysis methodology.
FORM 10-K: ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 – GENERAL INSTRUCTIONS
- Rule as to Use of Form 10-K.
(1) This Form shall be used for annual reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) (the “Act”) for which no other form is prescribed.
Item 1A. Risk Factors. Set forth, under the caption “Risk Factors,” where appropriate, the risk factors described in Item 503(c) of Regulation S-K (§229.503(c) of this chapter) applicable to the registrant. Provide any discussion of risk factors in plain English in accordance with Rule 421(d) of the Securities Act of 1933 (§230.421(d) of this chapter). Smaller reporting companies are not required to provide the information required by this item.