Search
Close this search box.
EPISODE 148
SEC Disclosure Rules on Cybersecurity

EP 148: SEC Disclosure Rules on Cybersecurity

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 2, 2024

What are the SEC’s new rules for cybersecurity disclosures, including cyber incidents AND annually about cybersecurity risk management and governance? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 148 of the Cyber Risk Management podcast?

Kip Boyle: Hi Jake, this is going to be a podcast for all of you lawyers or want to be lawyers in the audience, and I know Jake's going to enjoy this, because what we're going to talk about is the SEC, right? That's the Securities Exchange Commission, right? Is that what that is?

Jake Bernstein: That is correct. Yep.

Kip Boyle: Yep. So they have new rules, and we've known about these rules for a while now, but they're just about to come into effect. So there's rules and cybersecurity related disclosures, reporting requirements for cyber incidents, and also, as if that wasn't enough, annual disclosures about cybersecurity risk management and governance, and we want to make sure you're ready, so we're going to talk about all of that today.

Jake Bernstein: Yes, we are, and I'm going to start with a disclaimer. It's a joke I use fairly often, and basically I'm a security lawyer, not a securities lawyer. And that's a big difference because a securities lawyer focuses on the SEC and I don't, this is new to me. Obviously the cybersecurity component is not, but we're going to do the best we can.

Kip Boyle: I think we're going to do just fine.

Jake Bernstein: We'll do just fine.

Kip Boyle: And really, we're not trying to educate lawyers here. We're trying to educate practitioners. We are like cybersecurity practitioners, people who are trying to manage cyber risk.

Jake Bernstein: We are, absolutely. So let's start with what made the news over the summer, honestly so extensively that we didn't bother doing an episode on it, the new cybersecurity incident and breach disclosure requirements via Form 8-K. Now, an 8-K is a form used to notify investors in US public companies of specific events that may be important to shareholders or to the SEC. The new rules add a new line item, item 1.05, which requires companies to report a cybersecurity incident within four days of determining that an incident is, quote, material on an 8-K form. Now the detail here is really important, the four days begin from the determination of materiality, not discovery. That's where we start.

Kip Boyle: Yeah, so that's a big deal. I recently, not too recently, but these days I talk a lot about cyber being a material business risk, because the possibility for absolute catastrophe is a present danger. Just talk to MGM, Caesars, right? The huge lists of organizations that were cut off at the knees, when their computers were taken away from them. And it doesn't even need to be a data breach these days, if you can just remove control of a computer system from an organization, they can't do business, or at least not very easily. But I would say that throughout the course of my career, I didn't talk about materiality very much, until relatively recently. And I don't know that the people listening to this podcast have been thinking in terms of financial materiality either, and so I'm really looking forward to unpacking this, but let's start with the reporting requirements, so what are those like?

Jake Bernstein: Okay, so instead of including details of the incident, technical ones, which again would not be very smart, the disclosures on the form 8-K should describe the material aspects. The disclosures should also describe the impact of the cybersecurity incident, considering both quantitative and qualitative factors, such as any effects in a business's operations, financial repercussions, impacts on vendors and consumers, reputational harms, harms to customer contracts, and litigation risks that may arise from the incident. And then of course, if you need to update it as time progresses, which is likely, you can then file an amended 8-K that includes material updates.

Kip Boyle: So that's a lot of guidance, but-

Jake Bernstein: Also it's not a lot of guidance.

Kip Boyle: They said a lot, but I don't have experience knowing what to do with it. I think our friends-

Jake Bernstein: inaudible.

Kip Boyle: ...Yeah. And I think if I needed to somehow get good at this, I would go talk to my CFO friends, because they do this all the time. They're having to consider, for example, labor, if you have a strike, if you're dealing with a labor strike, that's a material risk. If you're dealing with currency fluctuations, right? Gosh, what else? If the market has shifted, and now your sales aren't going to be looking very good. I guess my point is that cyber from a CFO's point of view is just another material risk, whereas for us, it's like, "Oh, wow, this is a completely new thing." So I would go talk to my finance friends and say, how do you figure out materiality given whatever it is that we're facing? So I just wanted to just put out a practical tip there, for how do you begin to get your arms around this? And I know we're going to talk more about it on this podcast, but go talk to your friends in finance. Yeah.

Jake Bernstein: And I think one thing to keep in mind is that financial materiality is just a factor, when you're talking about materiality in the SEC's mind, particularly with respect to this new set of rules. So yes, it's helpful because they have more experience doing it, but they're going to need you as a security specialist to help them understand the facts and situations, and as you'll see, the total mix of information.

Kip Boyle: And I think if you're a cybersecurity practitioner, you would do credit to yourself if you approach your finance leaders first on this, right? They probably have already heard of it, but if you go to them and say, "Hey, if we ever have to do this together, let's talk about what that might be like, so we don't have to figure it out in the moment."

Jake Bernstein: Agreed, that's very important. So let's talk about the kind of, I guess the bright-line guidance, and the fact that there isn't any at all, Kip, there is no bright-line guidance, instead-

Kip Boyle: Then that's what makes a podcast episode.

Jake Bernstein: It is, it really helps. Instead, we have a situation where federal courts view a materiality determination as a delicate assessment that is inherently fact and context specific. And in fact, Kip, we have two Supreme Court cases that still control this analysis. Would you care to take a bet on the dates of these two cases?

Kip Boyle: Well, I know they're not recent, and I also know that precedent and law can go back a long, long ways. So I'm thinking right now I'm thinking about-

Jake Bernstein: It's not Lincoln Law Old.

Kip Boyle: Okay, thanks, because-

Jake Bernstein: We're we're not going back that far.

Kip Boyle: I was thinking 1870s, 1860s.

Jake Bernstein: No.

Kip Boyle: How about 1970s?

Jake Bernstein: It is, yeah, the very first one, or I should say the most important one right now, is a case called TSC Industries Inc. versus Northway Inc., and it is from 1976. And then there was a follow-on case in 1988 called Basic Incorporated versus Levinson.

Kip Boyle: Now you say follow-on, but they're not ... are they related?

Jake Bernstein: They're not. No. No.

Kip Boyle: Okay.

Jake Bernstein: Yeah, yeah. Sorry, it's just the next one in kind of the materiality analysis issue. So the gist of the TSC analysis is really the following question, does there exist a substantial likelihood that a reasonable investor would consider the information important in making a buy, sell or hold investment decision, or a voting decision? That's it, it is both that simple and elegant, and yet absolutely mind bogglingly complicated, and completely unclear. Just to complicate things, the decision in Basic Incorporated introduced the discussion of contingent and speculative events, which is fun, so when you have a contingent or a speculative event, the materiality determination must balance both the probability that an event will occur, and the significance of the event of the company. Now Kip, what does this sound like to you?

Kip Boyle: Well, it sounds like something that's actually a lot more familiar than I thought I was going to feel, it sounds a lot just risk management. And so that sort of implies that the standard is flexible, and can be applied to really any factual situation that you might face, considering the context, right? Because you have to do a total mix of all of the information that's available. And I've heard you talk about this before, I would ask you to speculate on something and you'll say, well, it depends, right? It's going to depend on the facts and circumstances, I mean, I've kind of heard you say that before, and that's really the same thing in play here, isn't it?

Jake Bernstein: It's the very essence of what's in play here, this is a mealy mouthed non standard, that is really a bunch of words that does mean figure it out as a gut reaction almost.

Kip Boyle: Yeah, okay. So that makes it difficult, and I also think that it requires a lot of empathy, because when I look at the standard and how it talks about likelihood that a reasonable investor would consider the information to be important, well that kind of requires you to put yourself into the headspace of a reasonable investor, assuming that that person exists, because seen people make completely irrational, unreasonable investment decisions from my point of view, but right, so empathy, there's got to be a lot of empathy here.

Jake Bernstein: There does, and it's the same as the reasonable man test that everyone learns about within their first few days of going to law school.

Kip Boyle: We need more reasonable women tests, can I say that?

Jake Bernstein: That's probably a good point. I guess, you know what, it's probably the reasonable person test now.

Kip Boyle: These days.

Jake Bernstein: It's been a while. Okay, so to make it harder, there isn't even that much SEC guidance on making a materiality determination. There's a rule, SEC rule 405 under the Securities Act, and Rule 12B2 under the Exchange Act, both define material as relating to those matters where, quote, there is a substantial likelihood that a reasonable investor would attach importance in determining whether to buy or sell the subject securities. That's nothing more than the same definition or a derivation thereof from the materiality standpoint, or sorry, standard set out in TSE Industries.

Kip Boyle: Right. Okay, so just again, from a practical perspective, if I found myself needing to guide somebody, if I was their CISO and I needed to guide them, I suppose one of the things that I would be hungry for is to see somebody else doing this, right? I'd want to see examples, like what are other people saying when they have materiality within their cyber security, cyber risk regime? But there's probably not a lot of that out there yet, is there?

Jake Bernstein: So there's nothing yet.

Kip Boyle: Someone's going to have to go first.

Jake Bernstein: Someone will go first. And you know what? The SEC is actually pretty reasonable about this, in the first couple of years of these types of new regimes. They'll make comments, they'll send letters, they'll kind of make it clear what they want to see, and we'll kind of hit this point of equilibrium within a year or two of really seeing how these things look. But initially, there's not a ton to go on.

Kip Boyle: But there is a little bit more here that, I don't know, could be helpful, there is a non-exhaustive list of items or events that should be reviewed carefully to determine whether they are in fact material. So mergers, acquisitions, tender offers, joint ventures, new products, change in control, which I think means change in ownership, bankruptcies or receivers. So we're talking about major changes to the trajectory of an organization, and so just from that basis, I could definitely see how a major ransomware attack, for example, could sit on the shelf, alongside of all these other things that I just listed off.

Jake Bernstein: Absolutely, I mean, we can't do business for a week, is almost certainly a material event.

Kip Boyle: Or three months, I mean, I'm reading some cases now that are going on where the gang encrypted them, they restored themselves, the victim did, the gang was mad, so they encrypted them again, and they then encrypted them a third time, because this organization kept digging themselves out, and it pissed off the attackers, and so this has been going on for three months.

Jake Bernstein: Wow, okay, so with respect to cybersecurity incidents in particular, as we talked about, the trigger for reporting is the date that the company determines that a cybersecurity incident is material, not the actual date of the cybersecurity incident, which immediately raises a very important operational question. Who determines whether a cybersecurity incident is material? Is it leadership? Whatever that means. Is it the CISO? Is it the audit committee? Is it the full board? These are questions that every public company is going to have to answer for their own. I think the default is going to be the audit committee, or if there's a cybersecurity committee, that obviously would make sense, but it's going to be the board to some degree.

Kip Boyle: That makes sense to me as I think about what I would be discussing or recommending, especially in organizations that don't have a board of directors, like privately held organizations or ... well, no, then that wouldn't even come into play here, right? Because talking about publicly-

Jake Bernstein: We're only talking public companies.

Kip Boyle: Only talking about ... and they're all going to have boards of directors, I think that makes a lot of sense. The reason I slipped-

Jake Bernstein: By definition.

Kip Boyle: ... But the reason why I slipped into the private company space is because, in my observation, what public companies do privately held companies watch, and investors are thinking about the rules of publicly traded companies when they're thinking about investments in privately held ones. So I think, yeah, I can see myself in a conversation with a privately held mid-sized company in the future about should we do what the SEC is requiring public companies to do, and how would we do that? But okay, well, anyway-

Jake Bernstein: To one degree, I can just answer that, the answer is no, because the SEC is all about disclosure, and the essence of being a private company is that you don't have to disclose.

Kip Boyle: Well, you don't have to, but I mean, okay, I can foresee situations where you have to say something about the fact that you can't do business right now.

Jake Bernstein: Yes, and there's a lot of other breach reporting requirements out there, but I just think when we talk about SEC disclosure rules ...

Kip Boyle: You just don't think there really is an analogy in the private ...

Jake Bernstein: No, I mean, the cost of getting access to the capital markets, the public stock exchanges, is having to deal with SEC regulation and requirements. And if you don't have to do that, I don't know why you would abide by their rules. Now, obviously, we're not saying don't do cybersecurity if you're a private company. We're just saying the disclosure rules are not going to necessarily apply to you in the same way.

Kip Boyle: Okay, great. That's good. That's very helpful. Okay, so then let's move on and let's talk about timing. So if I don't have to report, I'm a publicly traded company and I don't have to report until I make a materiality determination, then why should I do that any faster than I need to? Let's just take our time.

Jake Bernstein: That's a good point, but I think you can tell us why.

Kip Boyle: Well, because the SEC, this is not like the first time they've done anything, and they've already thought of that. So like the IRS, who anticipates people doing things they don't want them to do, there's actually some instructions that go along with Item 1.05. And I think it makes it clear that companies have to make their materiality determinations without unreasonable delay. There's more of that mealy mouthed, if you will, being specific without being specific. But I think-

Jake Bernstein: That's at least a reasonable one, because think about it, Kip, what if you were to say you have to make it within three days, everyone's going to have their hands in the air, screaming and yelling how there's no possible way they can make a materiality determination about a cybersecurity incident that they don't even know what's going on with it yet.

Kip Boyle: But then there's a whole facts and circumstances situation to decide if somebody is being unreasonable.

Jake Bernstein: There is, but the courts are used to this, so I'm not so worried about unreasonable delay issues.

Kip Boyle: So you think that can be figured out. Okay, but let's give some for examples, right? Incidents impacting key systems and information, or involving unauthorized access to, or exfiltration of, large quantities of particularly important data. The company may be able to determine materiality even without complete information about the incident just by following those leads, right?

Jake Bernstein: Well, and so that's an interesting point, is that some might say, "Oh, well, we can't make a materiality determination until we've completely resolved the incident." And I think the SEC is saying, "That's not true here. If you've been ransomwared into oblivion, you don't need to wait until you've resolved everything in order to say, ah, that was material."

Kip Boyle: That makes sense.

Jake Bernstein: And I think that's right, and I don't know exactly what that's going to look like in enforcement, but again, the total mix of all possible information, Kip, that's what you have to take into consideration.

Kip Boyle: Okay, are there any examples of unreasonable delay, since you said you don't think it's going to be a problem?

Jake Bernstein: Well, yes, there are examples of unreasonable delay that the SEC provided, and essentially it's more about the process, in a sense, than any given situation. So here's an example, if the materiality determination is made by a board committee, and you intentionally defer the committee's meeting on the determination past the normal time it takes to convene committee members, that is definitional unreasonable delay. So let's unpack that for a second, let's say that the audit committee meets every month, and right before there's an incident, or sorry, right before the next meeting, there's an incident, and rather than risk having the audit committee meet and make a materiality determination, you instead push the meeting, that might be unreasonable delay.

Another example might be revising existing incident response policies and procedures, in order to support a delayed materiality determination, such as by extending the incident severity assessment guidelines, changing the criteria that would require reporting the incident to management, or any other committees responsible for public disclosures, or just introducing other steps to delay the determination or disclosure. These are procedural, these are internal, they're not really hard numbers or examples.

Kip Boyle: But I think that's important, because somebody who was unawares might think that they could do something like that, and that it wouldn't be noticeable by the SEC, but I think this is really putting us on notice that oh, yes, they would check those things, and they would have the power to obtain records to know, right?

Jake Bernstein: Well, and we just saw that, didn't we in the immediately previous episode where we talked about the SEC and SolarWinds. We know they have the power to investigate, so yes, they would probably find it.

Kip Boyle: Yeah. Okay, so obviously people are very concerned about the whole incident reporting requirements, but you said something at the beginning of the episode that's potentially even more fascinating, and that's the requirement to report on risk management and strategy in the company's annual form 10-K. So let's take a look at that a little bit more closely. So according to the new rules, there is a new item, and it's 106-(B:1), and you can put some parentheses around the B and the one, and it requires companies to describe their processes, if any, because maybe some people don't have a repeatable process. But if you have a process for assessing, identifying and managing material risks from cybersecurity threats, you need to put that into your 10-K, and it needs to be detailed, detailed enough for a reasonable investor to understand those processes. And it's got to address a few things, like whether and how the described processes have been integrated into the company's overall risk management system, or overall risk management processes. It also has to tell whether the company engages assessors, consultants, auditors, or any other third parties in connection with those processes or systems.

And then it also needs to ... and this is not an exhaustive list, but we're hitting the high points here, whether the company has processes to oversee and identify material risks from the cybersecurity threats associated with its use of any third party service provider. And please, again, this is not an exhaustive list, but we really wanted to give you a taste of what they're going for here. Right?

Jake Bernstein: Yeah. So this is going to be really interesting, and it's going to be a lot like the 8-Ks. It is going to take us a year or two to figure out what do people put in these 10-Ks? And I was just chatting with some of my capital markets partners, and they were telling me that some companies might have a page of material, some companies might have a paragraph, by comparison, typical business concerns will take up 10 to 20 pages in a 10-K filing. So this is pretty short stuff, but we don't know, we don't know for sure, and as we do know from SolarWinds, you probably don't want to make stuff up or lie in these disclosures.

Kip Boyle: You think?

Jake Bernstein: I do think, I do think, and I think what's interesting too, is the approach the SEC is taking here. So the SEC can't mandate affirmative rules, they can't actually tell you "You must have cybersecurity," and they didn't. What they said here is, "You have to describe your processes, if you have any for assessing, identifying and managing material risks from cybersecurity threats." Now, what's interesting is that you can't say nothing, you can't be silent, so all public companies are now in the position of saying something about this. And my contention is that there's a lot of companies who are going to sit down with their little proverbial pen and piece of paper and go, "Gosh, what do we put?" Kip, sounds a lot like things that we do for our clients and customers, it's about process. And I think this is so important to the point where I think it might be an overall bigger deal than incident reporting. Now, the incident reporting is going to be critical, don't get me wrong. I think more reporting also leads to greater cybersecurity procedures and effectiveness, because nobody wants to be the one who has to report, but incident reporting in and of itself is not new, right? There's all kinds of data-

Kip Boyle: Yeah, we've got data breach-

Jake Bernstein: ... verification laws.

Kip Boyle: Exactly.

Jake Bernstein: Yeah, it's out there, and I think that this though, have you ever heard of anything that requires any company to disclose their own cyber risk management and governance strategies before? And let's be clear, people have already done the freakout of, "Oh my God, you're going to give people a roadmap and hack ... this is going to be for hackers." It will not, that's not going to be the case, and nor should it be. If it's about the process, and honestly, Kip, if nothing else, I think we've learned working together for, gosh, going on six or even seven years, who knows, who can keep track anymore, that so much of it is about the process. And if you don't have a process, and you're not doing it, the plane crashes.

Kip Boyle: Right, or at least something bad will happen, you won't know how to deal with it, and then the plane will crash, because you've got no checklist, you have no process, you don't know how to isolate the failure and discover what it is before you run out of time to do anything about it. And certainly, nobody's going to want to be the first to say, "Well, actually, we don't have a process." I mean, that's not going to be considered to be a reasonable answer here for public companies, is it?

Jake Bernstein: It isn't necessarily reasonable or not, but I think it's material.

Kip Boyle: Yeah.

Jake Bernstein: I don't know about other people, but if I'm an investor, I will think twice about investing in a company that says, "Yeah, we don't have a cybersecurity program."

Kip Boyle: Right?

Jake Bernstein: Yeah. We're just operating on hope.

Kip Boyle: Exactly. Even if that's where they were the day before, magically they're going to have one. So it's interesting, I wonder if later on we're going to see anything about, okay, you have one, but do you follow it?

Jake Bernstein: Well, okay. So item 106-(B:2) further requires companies to disclose whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of its operations, or financial condition. So all that really is, is kind of the annual roll-up report of what might've happened, what risks did you identify, and how could it affect you? That's pretty standard, but Kip, there's also the topic of governance, and why don't you tell us about item 106-C-

Kip Boyle: Sure.

Jake Bernstein: ... And what that means, I think this is also really fascinating.

Kip Boyle: Well, there's a lot to it, so hang on everybody and maybe slap your face a little bit if you're feeling drowsy from all of the citations that we've given you, there's more. Okay, so listen to this. So under 106-C, Charlie, companies must describe the board's oversight of risks from cybersecurity threats, and if it's applicable, they also have to identify any board committee or subcommittee that's responsible for cybersecurity risk oversight, and the processes by which the board or such committee is informed about cybersecurity risks. My gosh, we're going to open up the kimono here, right? That's not it, there's more.

Jake Bernstein: You're right, that's not it, keep going. Yeah.

Kip Boyle: Okay. And again, under 106-C, companies must also say whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members, in such detail as necessary to fully describe the nature of the expertise, and the processes by which such persons or committees are informed about, and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, and whether such persons or committees report information about such risks to the board or committee or subcommittee of the board. And I can't believe I said all that without tripping over my own tongue.

Jake Bernstein: Wow.

Kip Boyle: It's non exhaustive, as exhaustive as it sounded, it's not. And the more I read this to more, I'm like, yeah, the CISO's going to start reporting to the board just like the audit manager.

Jake Bernstein: I think so, and I think we're also going to see an explosion of much more process out there. I think that cybersecurity has been, I mean, we've talked about this for years.

Kip Boyle: Oh yeah.

Jake Bernstein: Oh, it's an IT problem. Well, the SEC is saying, no, it's not.

Kip Boyle: Not anymore. I mean, it used to be, 20, 25 years ago-

Jake Bernstein: It did used to be.

Kip Boyle: ... you could just, if you were the CFO, you could buy a license, a site license to Norton Antivirus, you could pitch it over the wall to your IT team and say, "Deploy that." And then as long as the subscription renewed every year, and the little files that said what's bad juju was pushed out to all your endpoints, that's all really, that was basic cyber hygiene. But that was a long time ago, and that certainly is not the case anymore, and I think the SEC is kind validating, right, that those days are over. Okay, when does this all take effect?

Jake Bernstein: Well, assuming that we published this on the date we planned to, which is around December 19th, 2023, all of these requirements have been in effect since yesterday, and a few days before that on December 15th for the 10-K rules. Now, just to be clear, the 10-K rule effective date of December 15th doesn't mean that you have to file the new 10-K on December 15th, it just means that everyone's standard 10-K cadence starting on December 15th has to include the new disclosure.

Kip Boyle: So the next one, the next 10-K and everyone thereafter.

Jake Bernstein: Exactly.

Kip Boyle: Okay, got it.

Jake Bernstein: So I'm working, just as an example, I'm working with a client whose, their next scheduled 10-K is sometime in February or March. So they would never file one on December 15th, but when they do file one after December 15th, it'll need to include the new disclosures.

Kip Boyle: And are you helping them write the things that they need to now start to include in there?

Jake Bernstein: I will be, Kip, and that's going to be interesting.

Kip Boyle: Okay, so then we should probably note that we need a follow-up episode in what, three to six months just to sort of check in and see how people are doing?

Jake Bernstein: Yeah, I would say six to nine months might be best, just because we want to be able to see enough large company 10-Ks and small company 10-Ks to see what's being said. I think we will absolutely do that, we got to put it in the publication calendar, and make sure we do it. But one of the questions I asked my two partners was, "Am I being overly optimistic? Is this a game changer or is it really just going to be another page or paragraph added to the 10-K that nobody cares about?" And they said, "We don't know yet," which is a fair answer. But as we continued to talk, we realized that, one, the 8-Ks are a big deal, because the 8-Ks have to be assembled quickly, right? The 10-K, you have a long time to write, so it's not exactly a pressure situation, unless, as I said earlier, you start writing your 10-K and you realize you have nothing to say. And I think that could drive cybersecurity program adoption, formal program adoption, because think about this, how many companies do we know who ... they're doing cybersecurity, right? They're doing it, but if you were to ask them exactly what they're doing, and what their processes and their procedures are, and if they have any policies, a lot of the time the answer is, oh ...

Kip Boyle: We have a great IT department.

Jake Bernstein: We have a great IT department. Bob, the IT guy has been with us for 25 years, and he knows everything.

Kip Boyle: He's got it all handled.

Jake Bernstein: He's got it all handled. And you could say that, but it's probably not going to cut it going forward, at least not for any major-

Kip Boyle: I don't think it's going to satisfy these requirements that we just went over.

Jake Bernstein: Well, it would technically satisfy the requirement to disclose, I don't think it would satisfy the investors. And if you think about it too, Kip, we often think of public companies, particularly these days as, oh, they're just all behemoths, just the huge Fortune 500. But the reality is, is there are hundreds and thousands of publicly traded companies that are smaller, and they're not necessarily trading at huge volumes, or have a huge share price. But I think that it's those companies that probably have the most to gain and lose by these new disclosures. If you're a small, I don't know, furniture manufacturer, but you're publicly traded, and you disclose that you actually have an amazing cybersecurity program, because you don't want your furniture making factories to be shut down, that could have an impact.

Kip Boyle: Especially if you're not telling the truth.

Jake Bernstein: Well, yeah, don't do that, I'm assuming that you're telling the truth. I guess the negative version of that is if you have to, and you tell people you have nothing in place, well, I hate to say it Kip, I know I already said that we're not making a roadmap for hackers, and we're not. But if I'm a hacker, I'm absolutely going to troll these 10-Ks, and find companies that have honestly admitted they're doing nothing.

Kip Boyle: Which is why they won't.

Jake Bernstein: And then go after them.

Kip Boyle: I don't think anybody is going to admit that they don't. I think they're going to say that they do, even knowing that they're lying, because the thought of admitting that they don't is just too much to bear, for that reason that I could now be hanging out a flag that says, come hack me. But also because loss of reputation, they're going to be thinking that investors are going to be like, "Oh my goodness, give me my money back." So I mean, I think they'd rather take a risk of getting an SEC fine or something.

Jake Bernstein: Well, so it's worse than that. I mean, securities fraud can also be criminal, and go to jail.

Kip Boyle: Sure.

Jake Bernstein: So I think, what I'm hoping at least, is that rather than just lie and take the risk of going to jail or taking a massive fine, people will just invest in cybersecurity. That way they can-

Kip Boyle: I hope so.

Jake Bernstein: ... Live up to the claims that they make.

Kip Boyle: And it can be minimum viable, right? I say this to my customers all the time, what's the least you can do, and still move the needle, right, and still make a difference? What's the least you can do and still make a difference? I don't see anything wrong with that, in almost every case that I'm involved in, is a great starting point, maybe you don't stay there, but that's a great place to begin. So if you find yourself wondering what you're going to write in your 10-K, I would suggest that you think minimum viable.

Jake Bernstein: Agreed. And I think Kip, that it's time for you to wrap up this episode.

Kip Boyle: Yes, sir, it is. And I will wrap up this episode of the Cyber Risk Management Podcast. Today we discussed the potentially game-changing new incident reporting and cyber risk management and governance disclosure rules by the SEC, that at the time of you listening to our episode, have recently taken effect. Jake and I are holding on, because we think it's going to be a fascinating year watching what all these organizations are doing, but we'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.