The SEC Cybersecurity Regulations that went live in December 2023 make clear the need to describe management’s role with regard to cybersecurity processes and practices specifically for cyber-risk management and cyber-risk detection, and the need to disclose those "good faith" cybersecurity processes to investors in a Form 10-K. The SEC Cybersecurity regulations have proven to be the catalyst driving a paradigm shift in how Companies view and manage cybersecurity risks, as business risks. The US Government, under the leadership of CISA is establishing policies to provide greater transparency into the trustworthiness of software products and the entire software supply chain. The FDA is also requiring medical device manufacturers to implement cybersecurity policies to ensure that secure software development practices are incorporated into new medical devices, especially the monitoring and mitigation of CISA KEV's. On 10/16 the SEC published it's examination priorities for 2024, and cybersecurity policies is right at the top of the list "The Division will focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.
Always remember to get the latest software product trust score from the software product Trust Registry - know the risks before buying, installing or using a software product. You own the consequences of your decision. Make wise choices.
What lessons can the movie Titanic offer CEO’s and other Officers and Directors of a Company regarding the need to PROACTIVELY detect cyber-risks and avoid disasters using CISA and NIST best practices in preparation for the December 2023 go-live of the SEC Cybersecurity Regulations?
- Watch out for icebergs; make sure the “birds nest” is properly equipped and manned to PROACTIVELY detect icebergs and avoid catastrophe. You don’t want to end up like this guy OR this guy.
Cyber-icebergs (cyber-risks) come in many forms from multiple directions. It’s imperative that "good faith" cybersecurity processes and practices follow NIST standards and guidelines to implement a 360 degree view of these cyber-risks which can arrive via e-mail, phone calls, software vulnerabilities, especially the "prima facie", red flag cyber-risks described in the CISA Known Exploited Vulnerabilities (CISA KEV) catalog, and other attack paths. Make sure the people manning the “cybersecurity birds nest” know where to look for cyber-risks and how to properly detect these risks (a/k/a threat intelligence). The cyber-insurance industry is also considering the impact these SEC regulations will have on D&O and cyber-security insurance policies. Don’t put men or women in the “cybersecurity birds nest” without the proper tools; the men manning the birds nest on the Titanic lacked binoculars. A $100 dollar pair of binoculars could have prevented the Titanic multi-million dollar disaster and saved thousands of lives. The linked video also shows the importance of an incident response plan, which now needs to include the determination of materiality before filing a Form 8-K cyber-incident disclosure
Sea Captains are noble, courageous people with a history of honor. One of those “badges of honor” is to “go down with the ship at the wheel”. A scene from the movie Titanic depicts the moment when Captain Smith faced his own destiny and legacy (and poor judgment) by going down with the ship, living up to this noble tradition. Companies that “go down” due to a cyber-incident do not share this proud tradition of honor with Sea Captains. Officers and Directors are more likely to face lawsuits and regulatory actions when they don’t take proper precautions to proactively detect cyber-risks and prevent harm from occurring. It is imperative that Officers and Directors deliver cybersecurity process disclosures in a Form 10-K that clearly show "good faith" in “detecting and mitigating cyber-risks” (icebergs), especially the "prima facie" red flag cyber-risks described in the CISA Known Exploited Vulnerabilities catalog. Captain Smith ignored multiple warnings of icebergs in the area .
Never underestimate the compelling influence of tamper-proof "hard evidence" presented by a trusted steward of the tamper-proof evidence showing that you have made a "good faith" effort to proactively detect and stop the bad guys. Directors and Officers may want to consider this prudent ABA advice regarding red flag cyber-risks that CISA KEV's represent when preparing a Form 10-K filing. "Fiduciary liability is not premised on the occurrence of the underlying event but rather the failure of officers and directors to make a good faith effort to attempt to establish systems of controls or the failure to report clear red flags when they emerge."
Keep in mind "there will always be a lawsuit". When the rubber meets the road there is only one key question that each Officer and Director needs to answer honestly "Am I confident the cybersecurity processes and retained evidence we have in place will protect me from personal financial losses in the event of a material cyber-incident that results in shareholder losses and a shareholder lawsuit after the SEC Regulations take effect?" CFO's, CEO's and other Officers may want to check if "over confidence" may be introducing personal risk [KROLL] "Our CFO cyber security survey has shown that Chief Financial Officers are highly confident in their companies’ abilities to ward off cyber security incidents, despite being somewhat unaware of the cyber vulnerabilities their business faces. Almost 87% of the surveyed executives expressed this confidence, yet 61% of them had suffered at least three significant cyber incidents in the previous 18 months.
The SEC Cybersecurity Regulations that go live in December 2023 clearly show the onus of responsibility for effective cybersecurity practices and processes showing a "good faith effort" to protect against cyber-risks and preserve evidence is squarely on the shoulders of Officers and Directors. The SEC complaint filed against Solarwinds on October 30, 2023 showed the absolute importance of filing an accurate, honest and complete "good faith" cybersecurity process in a Form 10-K filing showing adherence to NIST best practices for cybersecurity, such as the NIST CSF, and tamper-proof evidence supporting these claims. Make sure the men and women manning the “cybersecurity birds nest” have everything they need to proactively detect cyber-risks and prevent a catastrophe from occurring. The MGM CEO, Bill Hornbuckle, made the following observation when responding to a question regarding the MGM ransomware attack, "This is probably going to cost us in the range of $100 million. It is covered by cyber insurance, thankfully. I can only imagine what next year’s bill will be. And so moving forward, it’s about reinvestment into infrastructure, people, and processes.”
The FDA also emphasizes the importance of identifying and addressing these CISA KEV cyber-icebergs as part of a pre-market medical device application (see page 31):
Cybersecurity management plans should include the following elements:
• Personnel responsible;
• Sources, methods, and frequency for monitoring and identifying vulnerabilities (e.g., researchers, NIST national vulnerability database (NIST NVD), third-party software manufacturers);
• Identify and address vulnerabilities identified in CISA Known Exploited Vulnerabilities Catalog;68
There is no pride in going down to a cyber-incident, standing at the wheel.
“The supreme art of war is to subdue the enemy without fighting.”
― Sun Tzu, The Art of War
[UPDATE October 3, 2023: Sonatype issued their 2023 Open Source Report today containing this alarming statistic: Vulnerabilities persist, with 23% of Log4j downloads still being of critically vulnerable versions, despite fixes available for almost two years. And, in 2022, we saw that 12% of downloads, roughly 1 in 8 of all components served by Maven Central, contained a known security vulnerability.]
[UPDATE October 6, 2023: The MGM 8-K Filing describing the cyber-incident is now available. This is a good example of the information that should be reported in a Form 8-K within four business days, when the SEC Cybersecurity Regulations go live in December 2023. But there is one big missing piece, they did not disclose the ransom payment (the initial material impact) demanded by the hackers. That should have been disclosed, IMO.]
Watch out for those cyber-icebergs (CISA KEV's) in open-source, and elsewhere!