SEC and CIRCIA
Different Aims, Different Progress, Different Results
SEC
The US Security and Exchange Commission (SEC) proposed draft rules to disclose cyber incidents with a material impact in March of 2022. The rule was finalized and went into effect in December 2023. It is having an immediate impact.
US publicly traded companies appear to be erring on the side of caution in two ways. First, they are reporting cyber incidents shortly after they happen. Even before they have determined the cyber incident will have a material impact, when reporting is required. When they do this right, they report it as an Item 8.01 Other Event in an 8K.
For example, Haliburton filed an 8K on August 23 for a cyber incident that happened on August 21. In this 8K they said they were performing an “assessment of materiality”.
Haliburton filed another 8K on Sept 3rd that said the incident has not, and is not expected to have, a material impact. (Note I believe they misfiled it as an Item 1.05 Material Cybersecurity Incident. They discussed materiality, but it was not material. The SEC will likely clarify again how filings should be done.)
Importantly neither of these 8Ks, nor any additional company statements, provided any information that would be helpful to the government or industry in helping protect, detect, respond or recover from a similar cyber incident by the attacker. The 8K incident detail is limited to:
Company became aware that an unauthorized third party gained access to certain of its systems. … The incident has caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions.
This follows a similar approach by Clorox and other companies reporting cyber incidents to the SEC. In the Clorox case the additional detail that eventually came out was on the impact of the cyber incident on product deliveries and shelf space in stores. This makes sense. The purpose of SEC reporting is to inform shareholders and the market about the impact of material events; it’s not to help cybersecurity professionals, the government, or other companies.
It’s an easy prediction that US public companies will continue to report as little cybersecurity details about an incident as possible. There is regulatory and liability downside to sharing information.
CISA and CIRCIA
CIRCIA is different in so many ways.
Speed
The Cyber Incident Reporting for Critical Infrastruture Act of 2022 (CIRCIA) was signed in March of 2022. The draft regulatory rule was published for comment in April of 2024. Two years later!
The comment period closed in July, 2024 and CISA anticipates the rule being finalized in 18 months … about four years after the law was signed.
It’s hard to say with a straight face that this reporting is important to national security and take four years to put it in place.
Detail
From CISA:
By requiring Covered Entities to report Covered Cyber Incidents and Ransom Payments to CISA, the CIRCIA regulations will help improve the nation’s cybersecurity posture in various ways, such as by allowing CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and share that information with network defenders so that they may take actions as they deem necessary to present themselves from becoming victims of similar incidents.
It hits all the classic urgings of public/private partnership and information sharing. (somehow I need to work holistic in there)
CIRCIA is asking for detailed information. Vulnerabilities exploited (including the specific products or technologies and versions of the products or technologies in which the vulnerabilities were found), assets and networks compromised, IOCs, effectiveness of response efforts, and much more. Search for 226.8 in the CIRCIA draft if you want to read it.
If you buy into the value of information sharing in reducing widespread impact, which most do, CIRCIA sounds logical.
CIRCIA is asking for the detail that would open a company up to SEC regulatory action and shareholder lawsuits if the information comes out. And it is asking for these details even if it doesn’t result in a material impact to the company.
On one hand you have the SEC with quicker moving regulations that are incentivizing early reporting of any cyber incident in miminal technical detail. On the other hand you have slow moving CISA requiring detailed technical information with penalties for incompleteness or inaccuracy.
There is greater pain in disclosing to CISA and greater pain in not disclosing to the SEC.
One last thought …
I’ve heard Jen Easterly and others at CISA say they don’t want to be regulators, that it will hurt their ability to work with industry. CIRCIA will change that as strictly interpreting a Covered Cyber Incident and required information will be necessary to get companies to go through the pain and risk of CIRCIA.