To begin with, we know the cyber risk oversight model described in the NACD-ISA Cyber Risk Handbook actually enhances cybersecurity. We also know there is no proof the SEC proposed regulations, which have already been tried in multiple venues, will enhance cybersecurity or protect investors.
In fact, the NACD-ISA handbook is the only set of cybersecurity best practices the has been independently verified and shown to materially improve cybersecurity. Separate studies by MIT Sloan and Price Waterhouse-Coopers (PwC) assessed the use of this approach and found that organizations that use the methods outlined in these publications see tangible improvements to their cybersecurity. The MIT study concluded that “organizations following the consensus principles are predicted to have 85% fewer incidents,” and “can significantly improve their cyber resilience without raising costs,” while PwC found that following this model resulted in larger cybersecurity budgets, better cyber risk management, closer alignment between cybersecurity and overall mission goals, and a better-developed culture of security throughout the organization.
The governing principle of the NACD-ISA handbook is that directors need to understand and approach cybersecurity as a strategic, enterprise risk. Cyber risk is not limited to narrow technical domains but stretches throughout the enterprise and directly impacts critical business outcomes. Effective organizational cybersecurity directly contributes to strategic value preservation and new opportunities for long-term value creation. The improvements in cybersecurity found by MIT Sloan and PwC are a direct result of this governing principle. Instead of embracing this proven principle, the SEC is sticking to its antiquated model – without any evidence of it working.
In its NPRM, the Commission asserts that the value of “timely disclosure” to shareholders outweighs the risks of premature disclosure but fails to provide any evidence to support this assertion. To the contrary, the NPRM admits it has none: “we are unable to quantify the potential benefit to investors and others as the result of increased disclosure and improvement in pricing under the proposed amendments.”
Not only does this proposal lack evidence, but the requirements that the SEC suggests in the NPRM also pose significant risks to the same investors the SEC aims to protect. The disclosures required under the SEC’s proposed rules mimic to a large degree similar – but are not actually the same as —many similar requirements from a variety of federal, state and local authorities. They will thus add to complexity and duplication that – as acknowledged in President Biden’s recently unveiled cybersecurity strategy — is already diverting large amounts of scarce cybersecurity resources – to no clear positive effect.
If disclosures of security policies and procedures are sufficiently informative for an investor to make a reasoned judgment about the security of an entity, it will almost, by definition, be informative enough to provide useful information to attackers. Conversely, if the information is not useful to the attack community with all its expertise and cybersecurity-specific resources, it is difficult to believe it will be sufficiently informative to the investor to make a well-informed judgment on the company’s security.
Moreover, in direct competition with the SEC’s purpose to prevent stock manipulation, there is a very real possibility that the new rules would open the door to stock manipulation. The NPRM itself suggests the possibility of malicious actors may trade ahead of an incident disclosure to manipulate the market. The SEC acknowledges this risk but argues the new rules will mitigate this risk by mandating that a disclosure be made no more than four days after a breach is judged by the company to be material.
However, the 4-day disclosure requirement is irrelevant to the attackers. The SEC’s analysis fails to appreciate the degree of control the attackers can have not only on when the attack occurs but when it will be discovered – the attackers can choose to have the attack “discovered” and thus deemed material simply by manipulating the attack. So, the attacked community has all the time they desire to short stocks and trigger disclosure, bad publicity and associated – and highly predictable stock impacts.
The issue is not about whether companies should disclose cybersecurity incidents, as much as the types and methods of disclosure proposed by the SEC. ISA believes that requiring public companies to disclose cybersecurity incidents if they follow a set of independently assessed cyber risk oversight and management principles, such as those articulated in the NACD-ISA handbooks, will provide investors with a much clearer understanding of how cyber risk is addressed by an organization – all without carrying with it the risk of weakening the security enterprise, enhancing stock manipulation or wasting scarce cybersecurity resources.