This document discusses proposed new SEC rules regarding cybersecurity risk management, strategy, governance, and incident disclosure. Intended to give investors a better view of how public companies are addressing cybersecurity risks, the new rules are expected to take effect in April 2023. The proposed rules are not limited to external cybersecurity threats. Indeed, the new rules apply to - and will require public disclosure of certain - internal threats as well, such as a material loss of sensitive company information via insiders. Detecting and assessing insider data loss incidents requires real-time visibility into how sensitive corporate data leaves a company’s “four walls.” Understanding how corporate data moves around and outside the enterprise is also a key element of any effective insider risk program. Code42 products and services arm companies with this needed visibility and actionable intelligence to help public companies comply with the proposed new SEC rules in relation to data loss or leaks by insiders, while educating your company at scale to prevent future incidents.
In March 2022, the Securities and Exchange Commission (SEC) proposed new rules that enhance and standardize how public companies report cybersecurity incidents and make periodic disclosures regarding cybersecurity risk management, strategy, and governance. The proposed rules are more prescriptive and move away from prior principles-based guidance the SEC issued in 2011 and 2018. In proposing the new rules, the SEC recognized that cybersecurity is an increasingly prevalent risk for public companies and, as a result, something that investors want to know more about. The new rules will lead to more “consistent, comparable, and decision-useful disclosures'' that will enable investors to better evaluate public companies’ cybersecurity risk exposure and ability to respond and mitigate such risks.
Update 7/26/2023: The Securities and Exchange Commission [SEC] now formally requires public companies to disclose incidents within four days of all cybersecurity breaches.
Material Cybersecurity Incidents
The proposed rules require public companies to report on Form 8-K the following information within four business days after determining they experienced a material cybersecurity incident:
- When the incident was discovered and whether it is ongoing
- A description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
- The effect of the incident on the company’s operations
- Whether the company has remediated or is currently remediating the incident
Among the examples cited by the SEC that would trigger the reporting obligation is the material theft, unavailability, or unauthorized use of sensitive business information or intellectual property.
Importantly, the proposed rules do not distinguish between cybersecurity events caused by external threat actors and those stemming from an accidental or malicious internal risk event. If material, both types of incidents would be reportable. Information is material if it is substantially likely that a reasonable shareholder would consider it important in making an investment decision or if it would have “significantly altered the ‘total mix’ of information made available.” So, for example, loss of customer or employee data, intellectual property such as source code or design documents, financial information, or sales or operational data - whether attributable to an insider or an external actor - would be reportable if a reasonable shareholder would consider that loss to be important in making an investment decision. Also reportable would be a series of data loss events that became material when taken as a whole - for example, the exfiltration of source code over time.
And, updates to previously made disclosures about cybersecurity incidents would be required in a company’s quarterly and annual reports on Forms 10-Q and 10-K - e.g., impacts on the company, remediation efforts, any changes to the company’s cybersecurity readiness.
Expanded Disclosure in Annual and Quarterly Reports
Under the proposed SEC rules, public companies must disclose details about policies and procedures for identifying and managing cybersecurity risks in their Form 10-Q and Form 10-K filings. This includes (but is not limited to) information about:
- Cybersecurity risk assessment program(s)
- Engagement of third party auditors or assessors in the assessment program
- Policies and procedures to identify risks
- Activities aimed at preventing, detecting and minimizing cybersecurity incidents
- Cybersecurity incidents that have resulted in changes to governance, policies or technology
- How the company considers cybersecurity risks to be part of its business strategy, and financial planning
The rules also require disclosure on company management’s role and expertise in assessing and managing cybersecurity risks and incidents. This includes (but is not limited to) information about:
- The presence of management positions or committees responsible for the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members
- The Chief Information Security Officer, or someone in a equivalent position, and if so, their experience and to whom they report
- Processes in place to ensure persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents
- Whether and how frequently the board or a committee of the board reviews cybersecurity posture and programs
Companies need technologies to reduce and manage risk of data loss by insiders
Public companies need to ensure they have proper technology to detect and investigate incidents related to data leak or loss resulting from employee or contractor actions. While companies may have invested in Identity Management systems or targeted cloud data protection tools, they need to ensure they have a complete view of insider risk across all employee and contractor activities on their company-issued laptops and company cloud systems.
Companies need more visibility to eliminate data blind spots
Given the broad range of data that, if lost or stolen, could trigger reporting obligations under the proposed rules, public companies need visibility into what files are being moved out of their company and have effective processes (manual, automated, or technological) to triage and respond to them. This becomes particularly paramount with departing employees/contractors as they are more likely to take sensitive information (accidentally or maliciously) that could be of use to current or future competitors.
Companies need to know what files were taken or leaked by insiders
The proposed SEC rules require companies to be able to determine quickly whether an insider risk incident is material or not. To do so, though, a company needs to know what information was put at risk, as well as how and when, as soon as possible. Armed with such information, a company can take action immediately to contain the situation, mitigate its impact so that it does not rise to the level of being material, and avoid what otherwise might be a reportable cybersecurity incident. Companies frequently lack, however, that level of visibility into file movement. All too often, the details of an insider risk incident become known only long after the opportunity to take fast, effective action has passed. Going forward, public companies need to have technology that can help them quickly know exactly what files were involved in an incident, and further, be able to speedily determine materiality.
Companies need technologies to quickly detect and investigate data loss by insiders
Under the proposed rules, it becomes important for companies to use tools and technologies that help them identify, prioritize, detect and respond to data loss incidents by insiders. The tools must help them prioritize the highest risk items so that those incidents are triaged and managed in a timely fashion.
Companies need to ensure proper documentation of all investigated insider incidents
Insider incidents may involve all sorts of company information. It becomes imperative for companies to have tools and procedures to properly document all investigated insider incidents to support their SEC filings and support their materiality determinations (including decisions not to report a cybersecurity incident).
Companies need technology to stop highest risk employees from taking sensitive files
It is impractical in a modern business to prohibit employees from sharing files and information with each other, or to prevent them from accessing public cloud tools and systems to do their job. Their productivity often depends on access to such tools - even if they are non-corporate tools such as Dropbox or their personal email. However, in certain cases, and for certain high risk persons, such as departing employees or contractors, companies need to ensure they can stop them from taking files to personal email, USB drives or personal cloud accounts like Dropbox. This approach vastly reduces the most common risk of sensitive information being taken by individuals accidentally or intentionally.
Companies need comprehensive strategies to minimize insider risks by employees and contractors
Most incidents of data loss by insiders are unintentional or accidental. Companies need to invest in tools that can detect such low risk events, and automatically educate users on how to better protect company information. While companies may presently invest in annual security education for employees, such approaches are often ineffective. Companies need to focus more on just-in-time, corrective education to actively reduce risk of material information being leaked by insiders. This needs to become part of a company’s security culture.
Companies need proper stakeholder involvement during investigations
In order to determine materiality in a timely manner, companies need to evolve their cybersecurity incident response processes to ensure broader collaboration between Security, Legal/General Counsel, Compliance, CFO, Lines-of-Business stakeholders such as VPs or Directors of departments, and company Executives. This is because it is virtually impossible for any one individual or team within the Information Security team to make a determination of materiality in a reasonable manner.
The business impact of insider risk is real, and it can be substantial. Loss of source code, a customer list, or other key intellectual property can significantly impede a company’s ability to compete. In addition, because organizations may be unaware of a data exfiltration for weeks, months, or even years, recovering lost IP can be an costly, time-consuming uphill battle. Resources that could be used to build the company’s business are instead spent on lawyers, litigation, and forensic investigators. Likewise, unauthorized exposure or theft of personal data can trigger regulatory reporting, fines, and expensive breach remediation efforts. And, any cybersecurity incident can damage a company’s reputation in the marketplace. Data visibility is critical not only to comply with the new SEC cybersecurity incident reporting rules, but to prevent cybersecurity incidents from occurring in the first place or mitigating their impacts.
How can Code42 help you deal with these new SEC requirements?
Code42 Incydr and Code42 Instructor are specifically designed to help companies quickly prevent, detect, investigate, and respond to data loss by insiders. Code42’s products provide a wide array of features that simplify the workload for companies to manage the cybersecurity risk due to insiders. Code42 also provides best-in-class expertise and best practices guidance on how to deal with aspects of risk reduction that go beyond the tech - namely people and process issues. Some of Code42’s differentiated capabilities include:
Widest breadth of data exfiltration detection across endpoint and cloud systems
Code42 Incydr includes industry-leading exfiltration detection across endpoints (Windows, Mac, Linux) and cloud systems. Code42 can detect and alert on risky file movement regardless of file type - source code, business files, zip files and more. Detection includes data movement via web browsers and USB drives, but also covers more novel exfiltration vectors such as Airdrop and Git (source code management tool). Code42 also detects risky file sharing activity in company cloud repositories such as Office365, Google Drive, Box, Company Email Systems, and Salesforce. Code42 also provides companies full contextual details on the incident (who, what, when, how) so that investigating teams can quickly decide how to proceed.
Access to exfiltrated files for quick determination of materiality
In all cases of detected data exfiltration (regardless of risk score), Code42 automatically keeps a copy of the exfiltrated file. This allows investigators to view and inspect files involved in an incident to make timely determination of materiality. Customers do not need to do anything special or manage security repositories to use this functionality.
Case Management functionality to accurately document pertinent investigation details
Code42 has case management features built-in to allow companies to track and record the insider risk investigations. This allows investigating teams to securely track sensitive incidents and manage them separately from other IT or security incident management systems. Cases can contain all details of the security events in question, and can keep track of the actual files involved in an incident. Cases can easily be exported to permanent record keeping, collaboration and audit purposes.
Prioritizing relevant insider risks to prevent investigative burn-out
Code42 Incydr automatically scores risky insider actions, and provides configurable alerting and prioritization rules to ensure security and investigating teams are not overwhelmed by too many alerts or false-positives. Code42 Incydr includes over 120 Insider Risk Indicators - including file, user and behavior attributes - that are tracked from day 1 of usage to minimize time to detection. This helps investigative teams quickly identify the most relevant incidents and investigate them in a timely manner.
Historical view of user and file activity to strengthen investigations
Code42 retains historical file exfiltration events by users to ensure investigators can look back in time to determine if a given user or file was involved in previous non-material incidents. This happens automatically regardless of whether those prior events were investigated or not. Historical events can be saved for up to 180 days (depending on product purchased)
Code42 Incydr includes capabilities to block high-risk users such as departing employees, repeat offenders and contractors from moving data from their company laptops to untrusted cloud destinations or USB drives. Code42’s powerful watchlist-based approach to blocking risky file movement combines the benefits of reducing risk by these high-risk persons while ensuring security team members are not burdened by complex rules management tasks.
Automated employee-education to minimize and mitigate data loss risk by insiders
Code42 Incydr and Instructor facilitate automated, just-in-time education for employees to mitigate and manage low-risk or accidental data exposure by employees. Employees are automatically contacted via Slack, Microsoft Teams or email and presented with bite-size video lessons that help them understand why their actions were risky, and how to avoid them in the future. This approach has a dual benefit of reducing risk over time due to repeat offenses, while also reducing the investigation burden on Security teams. This ensures companies have a well-rounded risk reduction strategy which focuses on all levels of data loss risk.
Expert Practices on managing effective Insider Risk Programs (People, Process, and Technology)
Code42’s Expert Practices team produces and provides best practice guidance and education for customers on how to effectively manage their insider risk programs in a manner that fits their organization goals and culture. Policy templates, ideal workflows and best practice guidelines are provided to all Code42 customers at no extra cost. Code42 also offers paid Expert Services engagements where Insider Risk Advisors work directly with customers to help them establish or mature Insider Risk programs to ensure they’re effective and compliant with regulatory requirements.
With its new cybersecurity rules, the SEC aims to improve security culture at publicly-traded companies and enhance transparency for both the SEC and investors. Accidental or malicious data loss by insiders can trigger reporting obligations under the proposed rules, and companies will need to make regular disclosures regarding their insider risk management posture. Code42 Incydr and Code42 Instructor help companies prevent, detect, investigate and remediate data loss and will help enable public companies comply with the SEC’s new disclosure framework with respect to insider risk incidents.