In a recent podcast interview with Cybercrime Magazine's host David Braue, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the SEC's new rules on reporting hacks and data breaches, including why they're pushing for more transparency surrounding cyberattacks, and more. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast, sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is cyber expert Scott, Schoeber, CEO of Berkeley, Varitronics Systems, and author of the popular books, Hacked Again and Senior Cyber. Scott, as always, thanks for your time.
A: Yeah, thanks for having me on, David.
Q: Absolutely. So, as always, there's some interesting stuff going on in the cybersecurity space. We were very interested to see the new rules that the Securities and Exchange Commission has put into place within the past few weeks.
This has to do with the need to have public companies now disclosing any incidents that are deemed to be material, any cyber incidents that they experience. It also puts a bit of a tighter requirement on them in terms of reporting the cybersecurity protections they're putting in place. Tell us a bit about it. What's happened?
A: I think what happened is just the sheer number, the sheer volume of cyberattacks, kind of a spree that's been going on, at least here in the U.S. especially. They've documented more than 500 companies that have been victims of different types of cyberattacks, and most of them are tied to ransomware gangs, and that seems to be what's really initiating, propelling this and their use with really exploiting vulnerabilities and with some of the new techniques with exfiltration to steal the different data. It's causing this wave of problems, and I guess it got the attention of certainly the SEC, and shareholders, and public companies. And suddenly everybody's kind of realizing, hey, something's got to be done. Nobody knows 100% sure what needs to be done, but steps need to be taken toward some, maybe greater transparency and some accountability. And I think that was kind of what led to where we are here today. Talking about the SEC requiring disclosure of cyber security incidents quicker than in the past.
Q: There's definitely been a range of requirements as in there, in terms of what companies are supposed to do. There are state laws, there are different requirements, different time frames, just a bit of a hodgepodge to date.
A: Yeah.
Q: What sort of problems has that created do you think? In terms of finding out what's really going on out there.
A: Yeah, you said it so well. I always look at it like the Wild West. Nobody exactly knows what to do. Some people have jumped the gun, and they've reached out and tried to disclose things maybe a little too quickly, which has actually caused more problems. So then companies started to back off a little bit. So you've got this hodgepodge, as you say, of different ways of doing things, and I think they're trying to streamline it. Get everybody on the same page and put some rules and regulations and structure into this. So at least for public companies, they could properly report data breaches within a certain period of time, and of course, they have some exceptions in there as well, which we'll probably talk about, but I think it gives structure. And I think that's what's really missing right now. When things are the Wild West, people do what they want, and companies say, "We'll wait a little bit. Let's dig in deeper. Let's not upset the shareholders. Let's wait till after this quarterly filing," or whatever the case may be, and that's not good.
Q: Yeah, there's definitely quite a delay in the current methods that people have been using, if they even report them at all. So clearly from now on, when this comes into place at the end of the year, every public company is going to have to report incidents that they've experienced. It's really part of this idea of looking at the risk that a company is facing in the way that they're managing it, isn't it? So it's almost the graduation of cyber security to join other significant risks that a company might face. It's really propelled cybersecurity to the forefront, I think of strategic planning for these businesses.
A: Yeah, I think that's a really good point. Cause when we think about cyber breaches and data breaches, there are real-life consequences there. There's reputational costs, and if you think about it from strictly even an investor standpoint, they have the right to know. They need to know about a company or organization's cyber risk management activity. So the more disclosure, the more transparency, the better for the investors, ultimately, and hopefully, that translates to better for the company and the organization. I think that's important that everybody sees the big picture. This is not to just scrutinise and micromanage these companies. Not that they don't have too much of that already, but it's really to develop a framework and transparency to help everybody, and a level of accountability. They can't stick their head in the sand, as some companies have done when it came to cyber problems.
Q: Well, a lot of the companies have done that because they have very real concerns about shareholder value, about the stock price tanking. If you know it's seen that they're vulnerable, they'll say that they have some pretty legitimate reasons for being a little bit quiet about this sort of thing. Will this just destigmatize the idea of being breached?
A: I think it might. It's it's really hard to say. I think they need to start something and do something and push it a little bit to get these plans in place, these procedures, and I think, see what the outcome is, and then, if needed, tweak it a little bit here and there. To me, I commend them because it's a start. I don't think it's the ultimate solution, but it's a start. I like it when at least organizations are willing to try to improve things and get everybody on board and kind of develop that transparency that we all need in this industry.
Q: And, as you said earlier, there's a level of consistency in the new regulations. SEC Chair, Gary Gensler's on record, and he said that the value of this is providing more consistent, comparable, and decision-useful information about breaches. That's quite a range of, I guess, goals that they've put in place "decision-useful". So really trying to help companies, I guess, understand what the real risks are as opposed to, perhaps, what they've been sold, or they've heard through the grapevine about what their risk is of being breached. That's pretty significant, isn't it?
A: Yeah, I do think it is. And it's important that they do that, I think. Now in fairness, most of these companies, not all of them, but most of them, they're not cyber companies. So they don't really fully get it, or understand, or have the depth, perhaps, and I think one of the words they used, if I recall right, was "material" and understanding what that keyword "material" is, and I think the article in The Verge there went on to talk about it a little bit.
Most organizations are not prepared to comply with the SEC guidelines because they cannot determine "materially" what is core to shareholder protection. They lack systems to qualify risk, broad, and granular level, so on and so forth. And there's some truth to that. I think that's why it has to be slowly backed into, and understood, and kind of get something started here. Cause then they're gonna realize. Wow! All these companies don't have a dedicated team per se that could do it. They may be working with third-parties or other experts that can weigh in on this. But it's again, it's a starting point. So again, I think we want to commend that and work through some of these kinks.
Q: Yeah, that definitely is a good point. And with cyber breaches, typically, there's the disclosure of it or the discovery of it. There's the forensic investigation. It could be weeks or months before companies actually know how material the breach is. It might be a very small thing, although not so much these days anymore, but you know that the total cost can run tens or hundreds of 1 million dollars, but you might not know that for six months afterward. So it is a bit of a fluid thing, isn't it, to talk about materiality?
A: Yeah, yeah, that's a brilliant point. And I think you can't put it into a nice little package, every single breach because they vary so much, and what you said was brilliant there, cause you really have to look at the nature of it. The scope of it, the timing of it. What kind of material impact does it have? Not just on the company but the shareholders and their industry? So there's so many other things. Not to mention, probably one of the most important, I think, and this is where the government kind of steps in, and there was a mention of this. The SEC said there could be delays in reporting, in fact, even up to 60 days, if the U.S. Attorney General determines that alerting shareholders to the incident would pose a substantial risk to national security or public safety. That's interesting. So there is a little "gotcha" there I think that we have to keep in mind.
Every company may not quickly disclose things depending upon the nature of it. So it gives companies a little bit of leeway, especially companies that are working, maybe the prime contractors to the US. DoD, or something like that. They have to be very careful on what they disclose immediately until a proper investigation, and to verify that there is no national security risk posed.
Q: That probably ties into the increased attention. We've had over the past few years to critical infrastructure, you know, if you find out and there's a breach of, I don't know, the local power company or something, there's a lot that goes into that before you have to worry about shareholder implications. There's a lot more that has to be resolved, a lot more to work through for public safety, and that. So that makes sense that there would be exemptions in that way. And then, later on, once everything is stabilized, we can worry about the market impact.
A: Yeah, that's good. And I think, case in point, I think back to Colonial Pipeline. Probably most people are familiar with it around the globe, where the east coast was kind of paralyzed with this hack. And right away, they reported it, Colonial Pipeline, and those are working behind the scenes with local law enforcement and the FBI, which enabled them to get back some of the funds quickly. Some funds were paid, stolen, a big mess, as it all unfolded, but they were able to address it rather quickly, but it wasn't in 4 days as this particular requirement the SEC is putting out there. But for critical infrastructure, there it did affect public safety, and it did affect national security. So it actually fits in that blend where it would take a longer period of time than just 4 days of just quickly disclosing it, because there was negotiation, and there was tracking down some of the cryptocurrency and wallets, and so on and so forth, which made sense, I think, and that's really what we don't dive into all the little nitty, gritty details of what goes on behind the scenes, but a lot goes on in a very short period of time, post-breach, and that's what's important. That critical aspect of time. Things can be done properly in conjunction with law enforcement.
Q: That everybody's been brought in that needs to be, and that everybody's on the same page. Yeah, very, very true. So one of the interesting things, Scott, that I've found here. Not only is there the need to disclose the risk. This is done through filing a Form 8-K, which is something that people and companies have already used with the SEC to tell them about risks. There's going to be a new item, 1.05, if you're keeping track, which will have to be filled out basically to notify about the cyber breach. But there's also now, an item 106, which has been introduced. And this is an interesting one, because this is designed to get companies to describe their processes. So the way that they can assess, identify, and manage the material risks from cyber security threats. As well as, and this is what the SEC says, "as well as the material effects, or reasonably likely material effects of risks from cyber security threats". The other thing that this item is going to require is that the companies are going to have to describe the board of directors' oversight of cybersecurity risks, and the role and expertise of management in assessing and managing material risks. In other words, your board, your executives. They need to know cyber. They need to have expertise in cyber. There's no more excuses anymore, are there?
A: No. And I think you and I, and probably many others in the field of cyber, have been saying this for a while. The importance of getting everybody on board. It's not just the IT team's requirement to understand cyber. Spell the word that everybody's got to get on board and implement best practices. And again, this is a good step in the right direction.
A 10-K is very comprehensive. It's a report that they're gonna file annually, these publicly traded companies about really the performance before the SEC. So the shareholders know what's going on there before an annual meeting before they elect directors. But they're basically saying, here, we need to know more than just the history and organizational structure and financials. We wanna make sure everybody's on board, understanding the cyber risks that are inherent with this organization, and having a plan. If something happens, how are we going to respond just like anything? If you think about it? If you know a storm's coming through, you want to have your "go bag". You want to have some common sense plans to respond to it and I think that's what they're kind of saying here. Since cyber incidents happen almost seems random. You can't really predict them. You gotta be prepared all the time, and that's what they're kind of getting all these companies ready for.
Q: In a lot of these companies, historically, the go bag was a suitcase stuffed with cash and a one-way ticket to the Caribbean. Wasn't it?
A: Golden parachute, yep.
Q: So that's changed a little bit, certainly. But it is a pretty significant thing for the SEC to be saying, you know, your board has to be cyber-savvy. No longer is it a question of, you know, get them cyber-savvy. It seems like as we go forward, it will be a crucial capability when you're choosing directors, when you're appointing directors, choosing executives. You've got to have cyber skills and an understanding of what's going on, what the risks are, and what you would do about it. As you said, the "go bag".
A: It actually probably makes executives more valuable if they get the proper learning and training on their resume. They're going to be attracted to companies that are willing to pay a premium for them because they have this cyber education. They understand cyber risks and what it means to the business and to the organization. So I think it's a good thing. You've got to look at it from a positive way. How can we make things better, stay safer, and fight against these cybercriminals because they're really turning it up out there.
Q: And the SEC really is turning it up as well. The pressure's on, and companies need to respond in kind.
A: Exactly, and it may set a precedent for other countries as well. I know there's things that are certainly being done in Australia and other countries around the world. I think it's good when countries step up and implement things like this. It'll hopefully be taken on more seriously and handled on a global scale.
Q: Yeah, there's certainly a lot of effort. I think everywhere people are looking at some of the similar issues. The U.S. tends to be very much ahead in terms of markets and compliance. So this, I think, will be something that you'll see echoes of over the next few years in other countries that are looking at risk, and how to manage that very, very closely. Certainly the onus has on the onus, on board, of directors, on executives to be okay with cyber really has increased all over the world. So you know, hopefully, it will, I guess, raise all boats, as they say. See if we can just get a bit better at getting on top of this stuff before it becomes a major problem for companies.
Interesting times as always. Scott. Thank you so much for joining me today.
A: Yes, and thanks for having me there, David. Stay safe, everyone.
