SEC’s Rule 106 Creates Confusion Instead of Standards
One of the main purposes of the SEC is to ensure that the investing public receives all the information they can and should have to make informed investments. As technology and business practices evolve, so too must the SEC and their latest attempt to adapt to changing times has led to new SEC rules involving cybersecurity and cyber operations. New SEC regulations that went into effect on September 6th (with compliance reporting to begin 90 days later, this December), garnered much attention and comment while they were under consideration and revision, and have continued to be examined since. The SEC, in responding to comments made during the consideration process for amendments to the rules, did listen to the critics of the new rules, citing their concerns that overly prescriptive laws would dictate cyber security operation, and removed many aspects of the proposed law that touched on requirements. However, by specifying aspects of the operation, the “processes” and the degree to which those processes influence other board-level decisions, the SEC merely creates a hazy set of standards by which companies will attempt to comply and will use as a template by which to make their cyber security operation “public facing”.
Much of the attention around this new set of SEC rules has focused on the breach disclosure rules, but another new regulation that will affect all SEC registrants is being mostly ignored by media and thought leaders. New Regulation S-K item 106 will require registrant organizations to “describe their processes” for assessing, identifying, and managing cyber risk. By asking for descriptions of “processes” rather than policies and procedures, the SEC is attempting to walk the line between requiring enough information to satisfy the investing public, but not so much that it can aid threat actors. Organizations will need to account for the public nature of the information divulged in their cybersecurity and public relations strategy, and this new reporting requirement will have a direct effect on cyber operations.
The SEC can avoid being prescriptive in their reporting requirements, but any requirement to report can and will have the effect of setting a standard. If a question is asked on a form, there will be answers that are favorable, or at least acceptable, to the public, even if only answered in the affirmative (or negative). Cyber operations will be tailored to make sure that the reporting to the SEC gives a favorable impression to the investing public. Security operations will be driven by the optics of what their operation is reporting and this will create a competition of security theater, rather than security. While changes to cybersecurity regulation can help raise the level of maturity across the industry and encourage best practices, they can also leave gaps and create new problems outside of cybersecurity operations.
Another aspect of the rule will now require registrants to disclose the role their board takes in making cybersecurity decisions and management. Boards will be expected to be taking an active role in this part of their organization and the reporting will show their involvement (or lack thereof). To meet this new expectation, organizations will want to show that their board is aware of and managing cyber risk and must establish a process by which the board is informed. This can take the form of briefs from the cybersecurity team or updates from the CISO, or something else, as it is not prescribed, but will be reported.
While this changing situation may cause confusion for the near future, working through the complications of regulating cybersecurity will ultimately make us all more secure. The hazy set of standards that will be created, and then tested against practice and public opinion, will likely lead to clearer rules and regulations in the future, as the trials and errors that occur will enrich the conversation had between public and private entities on the changing role of cybersecurity in business.