Some large companies are making their first regulatory filings under the SEC’s new cybersecurity rules (effective for compliance purposes in mid-December) and such filings are revealing about their cyber programs.

As the WSJ pointed out this weekend, companies like Lockheed, oil-field services provider Schlumberger and equipment rental company United Rentals are the first major businesses to file annual reports to the securities watchdog in their 10-K filings.

“What companies are asking is: ‘How can we say enough without saying too much?’” said Jordan Rae Kelly, senior managing director and head of cybersecurity for the Americas at FTI Consulting.

Cybersecurity incidents

The new regulations require publicly traded companies in the US, and foreign companies that trade in the US, to disclose cybersecurity incidents within four business days of determining the incident is considered material to the company’s financial performance in an 8-K (quarterly) filing.

It also stipulates that organizations provide the nature, scope, timing, and anticipated or observed impact of the incident on the organization.

The SEC cybersecurity rules describe a material incident as one in “which there is a substantial likelihood that a reasonable investor would attach importance” in making investment decisions.

The SEC is also requiring annual cybersecurity risk management, strategy, and governance reporting using annual Form 10-K. On this form, the organization must describe its processes to identify, assess, and manage material risks from cybersecurity threats.

Recent 10-K filings

In 10-Ks filed last week, Lockheed Martin, Schlumberger and United Rentals said, as required, that they have a cyber leader responsible for overall cybersecurity and mentioned their boards’ role in cyber oversight, albeit in different ways, the WSJ said.

Lockheed, for example, said its board is “regularly” informed while United Rentals and Schlumberger said the board receives cyber reports quarterly. 

Lockheed said its board of directors is apprised of all cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to the business, but it didn’t explain the process for how it determines materiality. Neither did United Rentals or Schlumberger. 

As more companies submit 10-Ks, cyber disclosures will mature, said Patrick Niemann, audit committee forum leader at the EY Americas unit of consulting company Ernst & Young. Cyber chiefs should work with legal, finance, compliance and other functions to be sure security disclosures are accurate and succinct, he said. 

The CISO

The SEC has charged registered businesses to specify the role of the person(s) who oversees cyber decisions, but companies can go further than required and maybe include more detail about the person’s experience or education.

Lockheed identified its chief information security officer as the individual responsible for the overall security strategy. “This is a major change from last year’s report, in which the CISO was not mentioned. As a result, the CISO’s visibility is likely to continue to increase,” said Gaurav Banga, founder and chief executive of cybersecurity company Balbix. 

“My recommendation would be to ensure that the CISO/CSO is an integral part of risk-related committees (such as an ERM one) and has at least a semi-annual direct reporting to the board and relevant board-level committees.”

Iftach Ian Amit, CEO and co-founder of Gomboc.ai

The rules emphasize the role and responsibility of the CISO, who must respond to these material incidents, plus ensure the incident is reported – both up the chain of command chain and in a regulatory disclosure.

“The SEC ruling and its disclosure requirements continue to place a lot of pressure and responsibility on the CISO,” Jon France, CISO at (ISC)2, said via email to Cybersecurity Dive. “CISOs are navigating this challenge individually, with their accountability and job difficulty increasing simultaneously.”

Regulatory requirements

We asked Iftach Ian Amit, cybersecurity leader and CEO/co-founder of Gomboc.ai, for his thoughts on the new SEC rule and how it could force major changes in the way firms and CISOs manage cyber risk.

He also weighed in on whether he thought the rule was going to add pressure on CISOs – possibly even dissuading some talented people from taking on the role.

“To a degree, I hope that these moves will assure that ‘true’ CISOs will remain in these positions, and the proliferation of CISOs that do not really hold the ‘C’ title will either have their roles better defined (as in “head of security”, or “information security manager”), or the companies that have abused the titles will have to source for individuals who can actually hold an executive level of responsibility”, Amit said.

“I think this regulation will help truly talented individuals ensure that their roles and responsibilities are better defined in the organization so that they can serve and address the regulatory requirements”.

Cyber resiliency

Amit expresses confidence in CISOs in handling the new challenges; he just reminds them to form key alliances within the organization that are built around cyber resiliency and compliance with regulations.

“The CISO/CSO role is an executive one and, as such, encompasses many responsibilities. Part of their job is to closely coordinate and communicate with their peers (CFO, CEO, COO, GC, etc.).

“My recommendation would be to ensure that the CISO/CSO is an integral part of risk-related committees (such as an enterprise risk management one) and this person has at least a semi-annual direct reporting to the board and to relevant board-level committees”, he said.