Managing Risk & The New Tactical Edge Security – Series

November 27, 2023  |  Dr. James Norrie

In the last chapter of our blog series, we will offer five specific steps you can take in light of new SEC disclosure rules, particularly related to the measurement and management of risk both within your security perimeter, but also securing beyond the emerging and now farther tactical edge.  What are you doing to anticipate how these new disclosures are going to affect the internal governance of your security and compliance risk under this new regulatory lens?  If that’s your focus and you are ready to act, this episode will definitely be helpful! 

Step #1: Rapid Compliance Readiness – Enhanced Event Reporting Requirements

Given enhanced event reporting requirements, and a strict 4-day timeline once materiality has been determined, you should immediately conduct an internal incident response simulation (IRS) to benchmark how a stress test of your existing processes might respond under these new conditions. This establishes a gap assessment on areas of governance, data, or decision-making the team struggled to define or meet and can help ensure that your processes are subsequently refined and properly implemented before you have to rely on them under the conditions of an actual breach. This step is #1 because of both its urgency and high value to any enterprise coming under these new regulations and it is an easy first step in which to engage your organization expeditiously.  And of course, we can help.

Step #2: Elevating Record Keeping and Communication for SEC Defense and Executive Decision-Making

As an additional step related to the first one, the design of your new compliance processes also requires a substantial increase in official record keeping efforts, including dates and times, tracking the detection, assessment, and determination of materiality in real-time. If required, these become vital as a defense in any query or enforcement action taken by the SEC. In addition to any new methods, processes, or tools you put in place to support your longer-term cybersecurity governance and risk management, you will need to enhance communication among those internal parties responsible for both preparing public disclosures alongside those with applicable domain knowledge and expertise responsible for assessing non-financial materiality.  This collaboration among your internal teams – along with their respective external experts – will require integrated working groups and faster communication channels to support more timely and effective executive decision-making to meet the requirements of these new guidelines.

Step #3: Transformative Strategies for Third-Party Risk Mitigation in the Era of Vendor-Originated Cyber Attacks

With the SEC clearly declining all liability transfer efforts for a vendor or partner originated attack to deflect your responsibility for reporting a breach, you should immediately adopt the application of third-party risk assessment (or “TPRA” in the professional lingo of the security industry) or perimeter assessments.  As the extent of your liability moves out to some of your furthest endpoints and through API’s and interconnected systems on which you rely in your supply chain, for example, you need to consider just how far out your tactical edge goes now?  Where does it stop and why?  How do you assess and either accept or mitigate the risk in your downlines and supply chain?  Does this change a system integration decision which may have had a business benefit, but now presents an offsetting legal liability sufficient to undo it?

These are critical risk-informed considerations that are evolving given the need to disclose and report an attack even if it originates outside of your own network.  This can best be seen in the recent attacks on Caesars for example, where the vector of attack originated with a technology services provider.  Regardless of its origin, and the fact that responsibility could be legally deflected onto that supplier ultimately, they chose to comply and voluntarily report this breach and its details in a Form 8K filing recently.  By the way, followed shortly by a class action lawsuit – a potential consequence of public disclosure and an impact we are tracking as a potential result of these new SEC regulations, failure of existing mitigations and resulting litigations.

In our experience, unless enterprise security teams are educated about this new legal reality, it may escape them as an immediate cybersecurity priority.  But it should not be so just because there are not fully defined, fully scalable solutions across the full spectrum of TPRA process needs yet.  If you need some initial help, our Human Defense Platform can be extended beyond you own perimeter to automatically include all your downline vendors, suppliers, and interconnected ID’s as it relates to reducing human factors risk through cybersecurity awareness education and compliance controls. It permits you to monitor and score these individually by vendor to ensure they are not contributing unduly to your own risk without your foreknowledge and acceptance of an appropriate level of risk you are willing to accept.  This option can be immediately deployed concurrent with or after your internal launch of our platform and lets you easily and seamlessly achieve a first step to meeting this emerging new SEC requirement.

Step #4: Safeguarding Converging OT and IT Environments for Executive Vigilance

Another area of emerging concern for many of our clients is the rapid realization that OT and IT environments – long since air-gapped and running quite separately – are now merging and creating new opportunities for threat conversion across the enterprise.  Recently, Clorox faced a large and material financial loss through exactly this kind of attack which dropped several of their production sites.  In a manufacturing environment, the priority is always on plant safety and availability, as it should be. 

Yet, cybersecurity must now be included as a credible source of both OT and IT-related contagion, with some types of attacks even able to migrate between the two domains.  Here again, there is an obvious need for anyone with a significant OT or ICS-enabled environments to rapidly assess their security strategy because your newly required 10-K filing will have to address both OT and IT threats. Scrutiny of any gaps will be intense given recent OT-related cybersecurity attacks worldwide. So, assess your vulnerability and risk in this distinct risk domain and incorporate it into your overall security strategy.

Step #5: Navigating SEC Rules and Proactive Disclosure in a new Cybersecurity Landscape

The SEC rules pose another dilemma:  there is no allowance under these new guidelines for any displacement of your public reporting requirement in deference to anything else, except for a limited exception (details of which are not yet quite clear) for a law-enforcement related exception granted by the Office of the Attorney General, assuredly a high bar to delay reporting. Executive teams need to consider actions to clarify legal and regulatory complexity ahead of time, not in real time as the issues must be settled internally well in advance of needing to file either an event or annual filing.

Let’s consider an example of one such complication:  you are breached by a private company that provides you with IT or Cloud services, for example.  You become aware of the details of the breach from them in due course, and your process determines its material and now reportable.  Consider that your existing contract may contain non-disclosure or confidentiality clauses preventing you from disclosing that information; or if it does not stipulate that you cannot, it may still not enable disclosure specifically because it was negotiated well before these new guidelines were issued. But given their compliance priority, these create a situation in which you end up disclosing a breach prior to it being reported by the other company with all the consequences related to that order of disclosure for both parties. What implications does that have and how will you make attendant changes to existing service and license agreements, for example, to deal with this situation in advance of it occurring?  There will definitely be learning to be accomplished together as we all go forward in this brave, new regulatory world.

Let’s consider another interesting situation: in the event of an attack occurring and you determine that the event is not material, and you do not intend to disclose it as a result. Meantime, other publicly traded companies, some perhaps even in the same industries, make a different determination and opt to start disclosing these attacks. The reports attract media attention, and your security team and external experts determine that the attacks are likely of the of the same type, contagion and/or attack vector and consequences. In fact, they are likely identical attacks, maybe even with a common suspected source…

Should their timely disclosure be considered in your own assessment of materiality, or not?  Does it matter enough to change your determination?  Why? Or might a comparison of those decisions, post-facto, by the regulator change in their view if one company opted through an abundance of caution to disclose an attack versus those that did not, especially in the same industry?  While we obviously haven’t yet gotten to that point, we soon will because full public disclosure enables comparisons among peer responses. Until we have the benefit of hindsight about how companies and regulators navigate this tricky situation, we are likely to see earlier and more proactive disclosure decisions to reduce the risk of an enforcement action – or as we often say at cyberconIQ – the decision to mitigate instead of litigate.

If anything in this series is something you are struggling with, or could use an expert resource to support you, we would like an opportunity to speak with you.  Or you can learn more about us at cyberconIQ.com, or reach out to sales@cyberconIQ.com.

If you are part of an industry organization or association and would like Dr. Norrie to speak to your audience, reach out to book him for a keynote. Dr. Norrie is a passionate advocate for our profession and the need for us all to find ways to conquer human factors cybersecurity risk.  Accidental insiders, social engineering, business email and credential compromise and a whole host of other tactics are causing operational, financial and reputation harm at scale every single day.  Nobody is too small to be attacked, and the consequences are severe.  Now if you are a public company under SEC regulations, the era or mandated reporting of those attacks is now upon us.  Our Human Defense Platform was created to help right the balance between attackers and defenders, and to measurably reduce enterprise security risk to tolerable levels – exactly what the new SEC regulations now demand.  So, if you find this series helpful, please share it in your network. 

Want more in-depth recommendations? Read our recent White Paper on this topic here.