Experts in cybersecurity and enforcement gathered on a panel at the SIFMA C&L Conference in Austin to discuss the status quo of cyber threats, as well as the status quo of regulatory oversight.

The panelists noted that increasingly sophisticated and destructive types of scams were on the rise, despite concerted efforts to mitigate them. Often enabled by AI, some of these incursion strategies include:

• account takeovers enabled through “mirror sites,” that request a user’s username and password;
• companies remotely hiring “fake IT workers” who turn out to be foreign threat actors;
• ransom attacks, including targeted CEO harassment leading to suicide.

Scrutiny was also placed on vendor vulnerability, now typified by the CrowdStrike outage that left nearly 8.5m Microsoft operating systems non-functional. The panelists urged industry participants to conduct thorough reviews of their vendors’ resiliency.

Cyber disclosure retreat

During the Biden administration, the SEC made concerted efforts to roll cybersecurity disclosures into its mandatory investor filings, with the intent to protect investors and supply them with critical information about company security. These included annual Form 10-K disclosures describing their cybersecurity program, and situational Form 8-K reports describing a breach shortly after it occurs.

The push to include cyber resiliency reporting in investor disclosures appeared to be gaining momentum, but the CFTC and SEC signaled a change of heart during the second Trump administration. Now, those proposed rules, which would have bolstered cybersecurity reporting requirements, will likely be shelved, and rules in force are at risk of being reversed.

One panelist obliquely criticized SEC’s previously rigorous cyber enforcement regime, which saw the agency raise controversial enforcement actions against companies for failing to accurately disclose cyber incursions and risks in mandatory filings. And in an extraordinary case, the SEC charged IT provider SolarWinds and its Chief Information Security Officer (CISO) with fraud for misleading investors about its cybersecurity risks and failure to disclose a major 2019 breach.

The bulk of that action was ultimately dismissed by a federal district court in a notable defeat for the SEC. Overall, the panelists were sympathetic to the position that the SEC tended to “muddle the issues” of fraud and cybersecurity by lumping them into a single enforcement category. This created dysfunctional and counterintuitive priorities that ended up treating victims as perpetrators of intentional fraud.

The panelists predicted that regulators and SROs will shift their focus to viewing companies that experience cyber breaches as victims, rather than punishing them further for failing to accurately disclose their cyber risks and resiliency.

Future rules on ice

A panelist further noted that cybersecurity rules recently proposed by the SEC and CFTC now have a “zero percent” change of going into force. These rule proposals include the CFTC’s noteworthy operational resilience rule, which would require firms to “identify, monitor, manage, and assess … emergencies, third-party relationships, and IT security.”

The panelists also noted that CISA 2015 is set to lapse in 2025, with scant possibility of being reauthorized by congress. Use of the law, which created channels for cybersecurity information sharing, was already in decline in recent years.

As with other panelists, the cybersecurity experts noted that this leaves ripe space for states to take up the regulatory slack but cautioned that establishing a cohesive regime would take significant resources that states might lack.