The Latest on Mandatory Reporting of Data Security Incidents
What’s the Latest with the U.S. Mandatory Reporting Rules?
In case you haven’t heard, it appears that the U.S. Securities and Exchange Commission (SEC) is attempting to separate its own notification rules from other state laws or regulatory disclosure provisions.
They recently proposed a rule change that would require public companies to notify investors of material data security incidents on a Form 8-K “within four business days after the registrant determines that it had experienced a material cybersecurity incident.” This rule would also amend Forms 10-Q and 10-K, requiring registrants to provide updates to prior disclosures on 8-Ks in their quarterly or annual notices, respectively.
Additional proposed changes in the 10-K include disclosures about:
- Your policies and procedures for identifying and managing these kinds of risks,
- The governance role played by your board of directors regarding oversight of security risks,
- Management’s role in assessing and managing risk, as well as
- Their implementation of practices to reduce risk.
Another proposed amendment of Regulation S-K would require disclosure if any members of the board possessed any relevant expertise.
It's also worth noting that this proposed rule by the SEC does not allow for a delay in reporting because of an ongoing internal or external investigation. They also closed any loopholes for state law provisions excusing a delay in reporting such an event. These new rules may require a public company to report an incident on an 8-K, but also prohibit them from reporting publicly or to other governmental bodies, pending the completion of an investigation.
Not to be outdone, the U.S. House of Representatives just passed measures of their own. These will require those of you designated as Critical Infrastructure to alert the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if you believe an incident has occurred.
That rule passed by the House also requires disclosure within 24 hours of payment to a ransomware operator or similar occurrence. CISA then would have the ability to aggregate that data and publish it anonymously to their stakeholders. While the Senate still needs to pass the bill, it’s looking likely that these measures will become law.
Who Should Be Concerned About the Proposed New Mandatory Reporting Requirements?
These new requirements should concern organizations everywhere, to put it simply. You’re already used to dealing with problems like new threats, growing attack surfaces, and more sophisticated threat actors.
But now, you’ll also need to step up your incident response efforts in response to this increasing legal and regulatory appetite for mandatory disclosure rules when security incidents occur. That means paying more consideration to your disclosure obligations.
However, that goes double for you organizations that:
- Are designated critical infrastructure
- Are publicly traded
- Are subject to a variety of U.S. state and international security and privacy regulations
These companies will likely need to bring in or establish extensive legal and regulatory expertise specifically to handle your reporting efforts in the event of a security incident.
3 Strategies To Help You Prepare for the Proposed New Mandatory Reporting Requirements
But what can you do to actually get ahead of these events before they can happen?
There are three strategies you should consider:
- Expand the scope of your incident response planning,
- Introduce better tabletop exercises; and
- Conduct a risk assessment on your reporting obligations.
1. Expand the Scope of Your Incident Response Planning.
First, your scope of incident response needs to grow to encompass parts of the business not previously considered. To illustrate why, look no further than the incidents affecting the Colonial Pipeline or UKG/Kronos last year:
- When it came under a ransomware attack, Colonial Pipeline was not breached through the energy infrastructure that serves as its backbone, but rather its back-office network.
- While seemingly not a mission-critical system for Colonial from a production standpoint, that lack of security did come to be a significant problem for them.
- Unable to properly bill their customers, they chose to shut down the pipeline until they could recover their accounting and billing function.
- Similarly, the ransomware attack on Kronos shut down their private cloud and had a huge ripple effect on their customers.
- Many either had to either scramble to implement spreadsheet or pen-and-paper timekeeping and payroll functions during the 2021 holiday season. Others did not have an effective means of tracking hours worked (meaning that there were thousands of families who needed that overtime pay and maybe didn’t get it).
- It's likely that many Kronos customers did not consider the availability or confidentiality of those systems to be significant in their incident response or business continuity planning. However, they were proven wrong when they quickly found themselves in a bad situation.
Thinking more expansively about the scope of your incident response would help you avoid breaches from unanticipated areas. And, of course, it’ll also help you prepare for obligations under the newly proposed reporting requirements.
2. Introduce Better Tabletop Exercises, and Follow Through on Performing Them.
In your planning for incident response or business continuity, you should be conducting tabletop exercises. Translation: you need to work through probable (albeit fictional) scenarios about security incidents.
These may seem like role-playing games, and that may be because it could help to treat them exactly that way: have someone act as the game master, assign roles to the players, bring snacks, maybe even have some fun.
In reality, these “games” can be used to exercise your preparation, uncover areas where your plan is lacking, or understand the scenarios where people don’t know what to do.
However, it’s important that, during these tabletop exercises, you refrain from making judgments about individuals or their responses. These activities should be about exercising the plan more than testing the participants. In actuality, training your personnel on their incident response or business continuity activities constitutes a separate, if parallel, effort.
3. Conduct a Risk Assessment on Your Reporting Obligations.
If the SEC proposed changes do come into effect and the Senate does pass those disclosure requirements, you should conduct a risk assessment on your reporting obligations.
Even privately held or non-critical infrastructure entities need to understand:
- If you have state data breach notification obligations,
- If you’re beholden to disclose due to privacy requirements like GDPR or U.S. state privacy laws, and
- If you have contractual disclosure obligations with customers and business partners.
Once your assessment is complete:
- Engage with legal counsel and compliance teams to determine your requirements;
- Assess the changing landscape;
- Determine what sorts of contractual provisions you have (you may have extensive provisions in place regarding what to do if you suffer a breach of a customer’s information); and
- Discuss how these outcomes will influence your incident response and business continuity practices.
Consider all three of these as a cycle of continuous progress, where strategies #1 and #2 inform the third, which then improves on your next iteration.
Next Steps for Mandatory Reporting
The legal, regulatory, and contractual landscape for reporting on incidents is growing more complex, and you need to increase your efforts accordingly.
While it’s often the case that the legal and regulatory landscape takes time to catch up to the sophistication of current threats and attacks, it appears that the U.S. government is making some moves to do so. Now, you understand where things stand at this moment and what you too can do to match their progress.
To help further protect yourself against future attacks, read our content on more helpful defenses and strategies:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.