Over the past year, cybersecurity executives have faced increasing legal scrutiny and consequences. The SEC’s new cyber reporting rules, which require companies to disclose “material” security incidents in public 8-K filings within four working days, have significantly impacted the industry. The rules, which took effect in December, have already led to a surge in companies filing new data breach disclosures with the SEC. This legal oversight has been a central topic of discussion at the recent ShmooCon hacker conference in Washington DC.
The SEC’s new cyber reporting rules have significantly increased the legal oversight and consequences for cybersecurity executives. The industry is facing a changing landscape, with a greater emphasis on transparency, documentation, and accountability.
The Changing Landscape of Cybersecurity
At the ShmooCon conference, a panel of experts including startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards, and tech investor Cyndi Gula shared their perspectives on the evolving cyber-liability stakes. They emphasized the increasing legal oversight and consequences that cybersecurity professionals are facing, from entry-level positions to the executive suite.
Implications of the New Reporting Rules
The introduction of the SEC’s new cyber reporting rules has brought about significant changes in the way companies handle and disclose cyber incidents. According to Danette Edwards, we can expect to see a surge in initial 8-K reports and subsequent disclosures reporting on the same cyber hacks. Elizabeth Wharton highlighted the challenges of reporting incidents within the four-day timeframe, emphasizing the need for subsequent disclosures as the situation evolves.
The Impact of Remote Work and Transparency
With the shift to remote work, the panel also discussed the implications of increased documentation and transparency. Elizabeth Wharton emphasized the importance of being mindful of written communication, as everything is potentially subject to scrutiny. The panel also highlighted the impact of culture on organizations, particularly in the context of increased regulatory scrutiny.
Responsibility of Cybersecurity Executives
Recent federal enforcement actions have shown that cybersecurity executives are shouldering increasing responsibility. The SEC’s charges against SolarWinds CISO Timothy Brown for allegedly misleading investors about the company’s security prior to a cyberattack serve as a stark example. Despite the challenges, Cyndi Gula urged cybersecurity executives not to walk away from their positions, emphasizing the importance of documentation and transparency in effecting change and mitigating risks.