SEC's new cybersecurity guidance falls short

CSO Online, March 5, 2018, the Green Sheet & Information Security Buzz, February 28, 2018, comments by Willy Leichter

On Monday, February 26, 2018, the SEC gave publicly-traded companies new cybersecurity guidelines to follow.

What’s included in the SEC new guidelines

Much information is in their document, but their primary areas of emphasis are noted below.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

In other words, companies are supposed to report a data breach as well as risks that could lead to a data breach. They should also evaluate their procedures to make sure they have the notification systems in place to keep senior management informed so they can make good decisions.

The list of risk factors includes: previous or ongoing incidents, probability of occurrence and potential magnitude, adequacy of preventative actions, and costs to maintain protections.

Additional guidance surrounds insider trading to prevent trading on non-public information. In recent breaches such as Equifax, executives sold stock just before their companies announced the massive data breach.

What is NOT included in the SEC new guidelines

While at first glance, these guidelines sound like they would be helpful. They are largely similar to prior guidelines given back in 2011 where companies were asked to disclose risks. They were not required to provide technical details about those risks however, so this led to companies giving uninformative disclosures that were basically useless in terms of providing any actionable information.

Back in 2011, the SEC did not impose any consequences for companies who didn’t provide such disclosures, but instead said if companies ignored their guidance, they would consider adding penalties later. However, it’s later and they haven’t done made any move to add teeth to their latest round of guidance in 2018. In fact, not much is different in this new release from what they said in 2011, and we’ve already seen how (in)effective their 2011 guidance has been.

Telling companies it’s important to have good plans in place and not to trade on insider information is about as effective as telling your kids you hope they choose to eat vegetables and pass on cookies and candy before dinner.

All bark and no bite

Without any bite behind these guidelines, there is nothing behind the bark and they amount to little more than suggestions. Fortunately, and in sharp comparison, stronger cybersecurity laws exist at the state level. Forty eight states plus Washington DC and Puerto Rico have breach notification laws that do have some consequences to motivate companies to comply. As a recent example in progess, the state of Pennsylvania has filed suit against Uber for not disclosing its breach – and in fact, paying ransom to the hackers – to keep the breach hidden. There is little doubt fines and penalties will result in that case. New York and California also have strong breach notification laws.

In even sharper contrast, in just a few months, the European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and it won’t mess around with handing down enormous penalties. The GDPR imposes fines up to 20 million euros (just under $25 million) or 4 percent of a company’s annual global revenues, whichever is higher. These penalties apply to any company handing – or mishandling – information about European citizens. For more information, see our recent article on the GDPR.

What else is missing?

Penalties are not the only important thing lacking from the latest guidelines, as Willy Leichter, Vice President of Marketing at Virsec Systems Inc., a cybersecurity provider, points out below.

Willy notes “the word "privacy" does not appear anywhere in the SEC document.

While data privacy may not be in the SEC's purview, cybersecurity incidents most commonly involve breaches of customer data and ensuring loss of privacy, confidence and customer trust.

"Requiring disclosure of cyber security gaps that may not yet have been exploited is important, as is barring insider trading on non-public knowledge of a breach," Willy stated. "However, recommending 'timely' notification of breaches is far too vague. Was Equifax's months-long gap in public disclosure timely?"

in summary, these guidelines may make a small advancement in the right direction simply by highlighting the need for more attention on this subject. But clearly, companies need to do far more, and be held far more accountable, in the area of cybersecurity and data privacy.

Read full CSO Online SEC’s new cybersecurity guidance falls short article
Read full Green Sheet SEC toughens cybersecurity guidelines article
Read full Information Security Buzz SEC toughens cybersecurity guidelines article