New SEC Cyber Disclosure Regulations Warrant a Command Center

The Securities and Exchange Commission’s new rules requiring public companies to disclose material cyber incidents within four days are set to take effect in December. Public companies have always had to disclose material events, but there are some important aspects that make these new rules significant.

First, the timeline of four days from materiality is very short. Cyber incidents are complex and involve a whole set of stakeholders from within the organization—security, IT, in-house legal, executives, boards, and public relations—as well as external service providers such as law firms, forensics, consulting, and insurance.

Second, a cyber incident can evolve quickly, and the situation and underlying facts on what is and isn’t known changes frequently during the response effort. Once the first disclosure has happened, the situation might change—requiring another disclosure, and another, and so on.

Third, the SEC rules specifically include cyber incidents affecting an organization’s data held by a supplier. Public companies have hundreds of suppliers with their critical information that are now subject to these reporting guidelines. Public companies are starting to exert strict timelines on their suppliers for disclosure to them so the public companies can comply themselves. The impact of this rule isn’t limited to just public companies but their entire supply chain, which pretty much represents most companies—public or private.

Since the new rules came out, we’ve seen an example of a public company that had a cyber incident, put out multiple 8-Ks in a short period, and experienced a plummeting stock price. This runs counter to the past, when the stock market forgave cyber incidents by allowing a fallen stock price to recover quickly. The lesson here might be that the financial markets are forgiving of the cyber incident itself but expect companies to control and manage the resolution effectively and efficiently.

There is a parallel and critical learning from the Sarbanes-Oxley rules around financial reporting promulgated in 2002. Organizations wouldn’t have been able to comply with Sarbanes-Oxley 10 years earlier, when most public companies were closing their books using lots of accountants, ledgers, and spreadsheets.

It was only with the advent of global financials systems, which organizations widely deployed in the 1990s, providing a single view and system of record of financials across divisions and subsidiaries that enabled organizations to meet Sarbanes-Oxley’s onerous requirements.

Similarly, organizations today need a cyber incident command center with a single view of the cyber incident dashboard and system of record for the incident response. This system of record should span the diverse workstreams of the incident response and bring in internal stakeholders as well as external providers such as law firms and forensics.

This command center also needs to be separate from the corporate network because normal communications channels may be unavailable or compromised. The incident command center allows the organization to control access on who gets to see what and when, which helps protect legal privilege.

The need for integrated and contemporaneous reporting of incidents in a comprehensive and organized manner—even if they may not appear to be material initially—will become even more pressing in light of the new rules. Taken by itself, one incident may not be material. But five discrete incidents added together might very well be.

Among other benefits, integrated reporting facilitates collaboration between different stakeholders, such as chief information security officers, chief financial officers, and general counsel, who need to work together to assess the material impact of incidents.

Organizations should consider the following recommendations to plan for the inevitable cyber crisis and its associated reporting requirements with a cyber incident command center:

Build a realistic response plan inside the cyber incident command center. Most cyber incident response plans are on a spectrum. On one end is the plan that was built to “check the box” that can’t be executed since no one trusts the plan. On the other end is the 248-page, comprehensive plan that can’t be executed since no one has read it.

Cyber incident response plans need to be simple and broken out into step-by-step tasks that are tailored to each person’s role and responsibility. The response plan must morph from a regulatory checklist to a guided playbook that orchestrates the various stakeholders while providing visibility and tracking.

Do a “tabletop” simulation to practice a cyber incident.
Companies that conduct tabletop exercises say that the table is cleaned right after, since everyone leaves with no institutional memory or learning. That’s why these simulations should be performed inside the incident command center so everyone within the company builds “muscle memory” on where to go in a cyber crisis and what to do.

These tabletop exercises should be done with the security and IT teams as well as with the broader group of in-house legal, executives, and even board members that will be involved and making decisions in an actual cyber crisis.

Onboard your key suppliers into the incident command center.
Most companies have critical and sensitive information held by their suppliers, and a breach of the supplier can be a breach of your information. Companies must bring their key suppliers into their incident response process, share playbooks and response strategies, and collaborate effectively and efficiently in a cyber crisis.

This onboarding of suppliers should be done before the incident, so every supplier has a mutually agreed playbook with the organization of what to do and when.

Given all the challenges, preparing to meet these new requirements is no small feat. Establishing a command center will put you on firm footing to confidently respond to a cyber incident and meet the new reporting mandate.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Arvind Parthasarathi is the founder and CEO of Cygnvs, an acronym for cyber guidance virtual space, which helps organizations reduce cyber risk.

Write for Us: Author Guidelines