New data breach reporting rules introduced by the Securities and Exchange Commission (SEC) last week have been described as “worryingly vague” and may create a harmful operating environment for security professionals, according to (ISC)2.
Tara Wisniewski, EVP for advocacy, global markets, and member engagement at the security non-profit, challenged the new scheme, warning that many aspects of the new framework are open to interpretation.
While Wisniewski broadly welcomed the changes, she suggested that the announcement could create confusion for professionals in the industry.
“While we support the fundamental principles of public disclosure to inform and protect shareholders, customers, and other constituents, the SEC ruling is worryingly vague. It poses more questions than answers, and may create ambiguity for cyber professionals.”
Under the new rules, public companies will be held to a higher standard of reporting, with firms required to disclose security incidents within four days.
The ‘Form 8-K’ requirement means companies will have to report any security incident they deem ‘material’ within this timeframe and provide information on the timing of the attack, its scope, and the potential impact on the business and customers.
However, the terminology used by the SEC is a point of serious contention for (ISC)2 and could be left “open to interpretation”.
This, the organization said, could lead to over-reporting of security incidents, placing greater pressure on overworked staff. Similarly, (ISC)2 warned the framework could prompt a trend of under-reporting, which in the long term might leave cyber security practitioners personally liable for incidents.
As such, the organization called for a clearer definition of what constitutes an incident under the new guidelines.
“There are no concrete definitions for which cyber incidents must be disclosed, or what the SEC means by ‘material impact’. There are millions of attempts on businesses daily, some unsuccessful, others partially so,” said Wisniewski.
“Without clearer definitions, the rules are open to interpretation which could either lead to over-reporting, distracting cyber professionals from their main task of network protection, or under-reporting, which could expose cyber professionals to personal liability.”
Overburdened security professionals
Another point of contention raised by (ISC)2 centers around new board oversight requirements outlined in the SEC’s recent changes. Under the new rules, businesses will be required to disclose annual reports on their security risks, cyber strategy, and governance practices.
Annual 10-K reports will be required to outline specific measures taken by organizations to identify and mitigate security threats, as well as insights on executive oversight of company security practices.
Wisniewski said that these new rules “do not go far enough”, adding that the guidelines are ambiguous and could lead to increased pressure on practitioners as executives rely on staff for advice and guidance.
RELATED RESOURCE
Automation antidotes for the top poisons in cyber security management
Address top cyber security challenges that happens because of new technologies, increasing regulations, and supply chain vulnerabilities.
As a result, the non-profit has called for the establishment of a “more formal framework for board oversight responsibilities”.
“The ambiguity only creates more burden for overworked and under-staffed cyber security professionals, as boards and corporate leaders will increasingly rely on them for interpretation of the guidance,” she said.
“So while we support collaborative efforts to protect consumers, the importance of cyber threats and the complexity of management requires very clear guidelines with detailed definitions so cyber professionals do not inadvertently fall afoul of well-intentioned regulation,” Wisniewski added.
“Cyber professionals are looking for clarity, and this ruling falls short in that regard.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Cybersecurity teams face unparalleled pressure, but they’re stepping up to the plateNews While cybersecurity teams are contending with rising workloads and chronic staffing issues, new research shows practitioners are still charging ahead and meeting targets.
-
Tech leaders worry AI innovation is outpacing governanceNews Business execs have warned the current rate of AI innovation is outpacing governance practices.
-
Developers can't get a handle on application security risksNews Research by Legit Security shows a majority of organizations have high risk applications in developer environments.
-
CISOs are gaining more influence in the boardroom, and it’s about timeNews CISO influence in the C-suite and boardrooms is growing, new research shows, as enterprises focus heavily on cybersecurity capabilities.
-
Top data security trendsWhitepaper Must-have tools for your data security toolkit
-
Why bolstering your security capabilities is critical ahead of NIS2NIS2 regulations will bolster cyber resilience in key industries as well as improving multi-agency responses to data breaches
-
How MSSPs can leverage dark web intelligence to counter emerging threatsIndustry Insight Dark web intelligence can be a vital tool for MSSPs to bolster security and counter emerging threats
-
Royal, Hive, Black Basta ransomware gangs ‘collaborating on cyber attacks’News Affiliates from the now-defunct Hive ransomware group could be seeking opportunities with other major dark web players
