A fine line exists between government guidance and oversight and heavy-handed, intrusive control. In the new world of all things cybersecurity and cybersecurity defenses, that line is still being drawn. While the federal government’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a popular and well-received set of guidelines and best practices, the recently finalized SEC cybersecurity rules seem to be triggering some folks to say the line is being crossed.

There has always been a concern that the federal government can and will access private information at its own accord, which is why there are checks and balances in place. For example, unless a company willingly shares its internal databases or documentation, government agencies must obtain warrants or follow the procedures laid out in the Foreign Intelligence Surveillance Act of 1978 (FISA). Accessing a company’s sensitive security data and intellectual property without following established protocols, for example, would qualify as government overreach.

Maintaining an agreement between a public or private organization and the federal government is good for several reasons. Getting entities such as the FBI or CISA involved can strengthen an organization’s attack analysis. The government has more capability and information access than individual companies do, so their assessments can help assemble pieces of the puzzle to answer the who, what and why of an attack more robustly. Furthermore, the public sharing and dissemination of results following attack analysis helps other organizations prevent the same thing from happening to them and their customers or end users.

While the government should not control private organizations’ cybersecurity, it should provide guidance and minimum regulations for compliance. Since 1972, the NIST has conducted research and provided cybersecurity guidance; the Cybersecurity and Infrastructure Security Agency (CISA) was created in 2018 and, most recently, the SEC finalized cybersecurity reporting and disclosure rules.

If, on the other hand, an organization chooses to forgo government regulations like those put forth by CISA and the SEC, consequences are expected. These regulations ensure companies are safeguarding American citizens, investors and sensitive data from cyberattacks. If guidance and regulations are met and there is still a security compromise, an organization should willingly share access to data with the federal government. That way, the victim organization and the government can collaborate effectively to understand the attacker’s intentions and means of initial access. This should not, however, inherently mean an organization is in legal trouble. Consequences are only warranted when there are indications of negligent security practices.

Why the SEC Guidelines Caused Angst

We’re now less than two months out from the SEC cybersecurity rules taking effect, and people are still divided. Some organizations have been familiar with similar regulations for more than a decade, but for others, these rules may be entirely new. During the initial public comment periods, several elements of contention emerged and they are likely the source of hesitancy now with regards to government oversight.

The SEC now requires that material security incidents, including but not limited to cybersecurity incidents resulting in data or financial loss, are disclosed within four business days from the time that materiality is determined. On the whole, this makes sense, since both attacks and incident response are happening in minutes and not days or months.

However, what’s controversial is that public companies must disclose the breach via a public 8-K filing. Filing an 8-K within four business days has drawn criticism because many believe four days isn’t enough time to fully assess a cybersecurity event and determine what happened. 8-K filings have massive impacts on customer perception and investor relations, so it can’t be taken lightly. Just look at MGM and Clorox. During this trial period between when the guidelines came out and before they go into full effect, we see companies only disclosing a small fraction of information in the appropriate SEC forms and amending them as investigations play out. Technical details in these disclosures are often lacking, but they’re not explicitly required per the SEC rules.

In the Event of a Breach, Who is to Blame?

Along with questionable government guidance comes the blame game: Who is responsible for a cybersecurity incident? A company’s livelihood is at the behest of its cybersecurity program these days, and at the helm of the ship is the CISO. Just as the CMO and CFO lead the marketing and financial programs and would be responsible for failures in those organizational realms, the CISO’s head is on a platter if things go south with most cybersecurity issues.

However, as with any failed organization, responsibility for mistakes is not and should not be on the shoulders of one person. Cybersecurity issues impact the entire C-suite and board, and the SEC disclosure rules include CEOs and CFOs in these matters.

The CISO role itself is relatively new, only having come into existence in the 1990s. Many organizations may not even staff for the position, and in others, duties might be shared by another CxO such as the CIO.

It is worth noting that the updated SEC requirements also include annual security program disclosures. This is aimed at promoting transparency and keeping CISOs accountable for maintaining a robust cybersecurity program. Plenty has been said about how CISOs hold much cybersecurity accountability but little authority compared to the rest of the C-suite. We are, though, finally seeing CISOs obtain more power and authority to address organizational challenges, not just the crushing responsibility.

Where Do we Go From Here?

Yes, faster reporting takes more effort, but it’s also necessary. Most organizations are better off disclosing an incident to the SEC that turns out to be immaterial than not disclosing it at all and facing regulatory repercussions. Investors may even become numb to the disclosures over time, particularly if filings contain generalized information or limited technical detail. If every public company starts filing and amending 8-Ks for every incident simply to protect themselves from potential consequences, media reporting on 8-Ks might become a thing of the past. We’ve seen how poorly it can play out for Tempur Sealy, Caesar’s Entertainment and MGM Resorts International after their filings, but they are the unfortunate few who got attacked before the rules legally went into effect.

As with many things, the line between government guidance and oversight and overreach will remain a point of contention as it is pushed by changing opinions. And though we must continue to advocate for guidance and support, we should be weary of overreach and control.