In comments filed with the SEC Monday, the Internet Security Alliance (ISA) urged the commission to alter its proposed rules on cybersecurity reporting, which call for among other things reports on cybersecurity policies, procedures and methods within 4 days of determining if a cyber incident is “material” In a letter from ISA President Larry Clinton, the multi-sector trade group said, “it is not the concept of disclosure about cybersecurity that is problematic as much as the types and methods of disclosure that ISA urges be reconsidered.”
ISA urged the Commission to take a risk management approach to developing disclosure rules which would weigh benefits of disclosure against risks based of on empirical data ISA noted that in the commissions NPRM it acknowledges that it does not have the data to assess the benefits of the proposed disclosure and suggested the SEC leverage existing disclosure rules in research that would quantify the benefits of the proposed new rules.
ISA’s letter noted that cybersecurity is fundamentally different that the domains the SEC typically addresses and expressed concern the SEC may be underestimating the difficulty in properly assessing materiality of a cyber incident. ISA noted that often cyber events that look bad initially turn out to be less impactful and pre-mature disclosure could create the very mis-pricing the Commission suggests is the reason for the Commission’s new 4-day reporting rule. On the other hand, sometimes, such as in a ransomware attack, materiality can be quickly determined, but the analysis and treatment may take much longer than 4-days hence disclosures will be incomplete and could create false information for the market.
Moreover. ISA suggested the specific disclosures the SEC sought including cyber policies, practices and procedures would likely be more helpful to the attacker community than the investors. “The rules disclosures will either be informative or not,” said Clinton’s letter. “Since the attackers are more sophisticated than the investor community any disclosure that is detailed enough to aid an investor will almost by definition be more helpful to the attacker.
In addition, the ISA suggested the new proposed rules would actually provide a basis for stock manipulation as attackers could short stocks and then manipulate an attack to trigger disclosure which will generate at least short-term price drops on the shorted stock.
Instead, ISA suggested the Commission require disclosure of an organization’s adherence to the principles and practices outlined in the National Association of Corporate Directors-ISA Cyber Risk Handbooks. ISA noted that these principles and practices had been independently assessed by PWC and found to generate enhanced cyber risk management, closer alignment between cybersecurity and overall business goals and improving the culture of security. In additions peer-reviewed academic journals have termed these practices the “de-factor standard” for good cyber risk practice. As such ISA suggested that their use would provide clear indications as to if an organization was diligently addressing its cyber risks without the danger of assisting the attacker community or aiding in stock manipulation.