Cloud CISO Perspectives: How new SEC rules can help business leaders
Phil Venables
VP, TI Security & CISO, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
SubscribeWelcome to the first Cloud CISO Perspectives of the year, and the first of our two newsletters for January. Today I’ll be discussing some of the important changes to the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules as outlined by the U.S. Securities and Exchange Commission.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
How new SEC rules can help business leaders
The start of a new year brings new opportunities, and not always in ways that we expect. One of the new realities of 2024 is that publicly-traded organizations on the U.S. exchanges are subject to new rules from the SEC, a change that took effect in December. They define requirements for when and how those organizations must disclose material cybersecurity incidents and require a new annual disclosure addressing management and oversight of risks from cybersecurity threats. With these requirements may come more scrutiny on CISOs.
This may seem intimidating, but I believe that the new rules help clarify expectations around breach disclosure, and can even improve cybersecurity incident disclosure, document governance, compliance, and risk management programs.
Certainly, we expect to see a formalization in breach-related disclosures as public companies are explicitly required to file a Form 8-K current report with the SEC when they experience a material cybersecurity incident. These current reports should include the “nature, scope, and timing, as well as its material impact or reasonably likely material impact” of the incident on the reporting organization.
However, organizations are not required to provide excessive technical details, which might expose them to future incidents, and crucially, they do not have to file their report from the moment that an incident is discovered. Instead, they must file their report to the SEC within four days of determining the materiality of an incident. A material incident is when “there is a substantial likelihood that a reasonable investor would attach importance,” the rules say.
If your organization doesn’t have an incident response plan, or hasn’t reviewed it in light of the new rules, this is a very good opportunity to do so.
This means that determining the materiality of an incident will require improved crisis communications within organizations, since legal, business, and technical teams will have to come together to make that judgment call. Achieving that goal means more and earlier preparation in the form of conversations about what needs to be reported to the SEC to meet the disclosure rules without sharing confidential information. If your organization doesn’t have an incident response plan, or hasn’t reviewed the plan in light of the new rules, this is a very good opportunity to do so.
Organizations can also ask the Department of Justice for a delay in reporting incidents to the SEC when the disclosure itself presents a significant risk to national security or public safety. We have seen historical examples that might qualify for delayed disclosure, so organizations should use their technical teams to identify potentially qualifying incidents and familiarize themselves with the relevant DOJ guidance.
We encourage business and security leaders to prioritize engaging with CISA and the FBI when incidents occur, especially since doing so is separate from the SEC reporting requirement and does not trigger the four-day timeline. As evident from several recent incidents, engaging with federal agencies can help your business recovery process and provide invaluable insights to prevent future victims.
The new SEC reporting process is only one of many U.S. incident response regulations (such as the upcoming CIRCIA 72-hour deadline for reporting cybersecurity incidents that affect critical infrastructure) that organizations must abide by.
The business value of being able to meet the requirements of the new rules is clear, and aligns with our best-practice guidance. When organizations take security maturity and risk management more seriously, they are both less susceptible to material cyber-incidents and, potentially, more appealing to investors.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- Spotlighting ‘shadow AI’: How to protect against risky AI practices: The emerging trend of “shadow AI” -using consumer-grade AI in business settings, poses risks to organizations. Here’s why you should favor enterprise-grade AI. Read more.
- How European organizations are innovating with Google Sovereign Cloud solutions: Check out these examples of how Google’s Sovereign Cloud solutions have helped accelerate the adoption of breakthrough technologies like generative AI and data analytics. Read more.
- New cybersecurity center in Málaga will help build a safer Europe: The Google Security Engineering Center in Málaga is a new hub that will advance the state of the art in cybersecurity and malware analysis. Read more.
- Introducing automated credential discovery to help secure your cloud environment: Google Cloud has launched — at no cost — a secrets discovery tool in Sensitive Data Protection that can find and monitor for stored plaintext credentials. Read more.
News from Mandiant
- Suspected APT targets Ivanti VPN in new zero-day exploitation: VPN provider Ivanti has been working with Mandiant to mitigate two new vulnerabilities in Ivanti appliances that are actively being exploited. Of the more than 10,000 deployments around the globe, we’ve identified hundreds of organizations that have been impacted. Organizations should follow the recommended mitigation steps from Ivanti. Read more.
- Solana cryptocurrency assets stolen in recent attacks: Numerous threat actors have conducted campaigns since December 2023 that use the CLINKSINK drainer to steal hundreds of thousands of dollars worth of funds and tokens from Solana cryptocurrency users. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
- Intersectional cloud: Where cybersecurity, geopolitics, and AI meet: What impact will cloud have on geopolitics and kinetic warfare? Derek Reveron, professor and chair of national security at the U.S. Naval War College, and John Savage, An Wang professor emeritus of computer science, Brown University, join our Cloud Security podcast hosts Anton Chuvakin and Tim Peacock to discuss cloud’s impact on espionage, combat, and global politics. Listen here.
- From blueboxing to foundation models via network security: Google network security engineering lead Mike Schiffman talks about why he came to Google to work on network security, what unexpected network security challenges he’s discovered here, and just what exactly gen AI foundation models have to do with it all. Listen here.
- Hacktivists continue to use DDoS: For the first Threat Trends episode of 2024, host Luke McNamara is joined by Mandiant Senior Technical Director Jose Nazario and Principal Analysts Alden Wahlstrom and Josh Palatucci, who go deep on the hacktivist distributed denial-of-service activity they tracked over the last year. Listen here.
- Tales from the 2023 trenches: Doug Bienstock and Josh Madelay, regional leads for Mandiant Consulting, join Luke to walk through some of the trends they have witnessed responding to breaches in 2023. Josh and Doug cover what is happening with business email compromise (BEC), common initial infection vectors, social engineering tactics, and more. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.