But like all regulations, the SEC cybersecurity proposals are receiving a mixed reception in the market. Tom Kellermann, SVP of cyber strategy at Contrast Security, simply told SecurityWeek, “While I applaud the long-awaited guidance, it doesn’t go far enough. The cybersecurity requirements should align with a given standard like NIST 800-53 or the FFIEC and reporting should be required for intrusions and or cyberattacks that result in the manipulation or destruction of data.”
It is a common concern that business is already overwhelmed by national, international and state-level regulations: we could add GDPR, California’s CCPA and the New York DFS 23 NYCRR 500 to the list. The argument is that new regulations should align with (or instead require) existing regulations to not increase the existing and overwhelming spaghetti soup of regulatory requirements.
Jonathan Reiber, VP of cybersecurity strategy and policy at AttackIQ, doesn’t see it this way. “This is a much stronger regulation than just the New York financial one and the California one. It’s a national level breach reporting law. Companies are going to have to deconflict a little bit with the states – but one of the benefits of this rule is that it sets requirements at a national level which will supersede those other states. It should make it a little bit easier to do business.”
He believes it is on the SEC to align its proposals with existing regulations, but it will help national financial firms do a much better job of incident reporting. “The reason I like it,” he continued, “is that it will force financial firms to prepare their defenses and their teams for likely incidents. I like to call that a threat informed defense strategy. And that means thinking about the adversary and exercising controls against the adversary.”
Like Kellermann, Jeff Williams, CTO and co-founder at Contrast Security, also has concerns over the SEC proposals. “While it’s nice to see the SEC being active about cybersecurity risks, this rule simply captures very basic cyber hygiene,” he told SecurityWeek. “Historically, the SEC has focused on ‘incidents’, and it’s nice to see them expanding to cover vulnerabilities as well. Still, I can’t see how this will make a significant change in covered entities, all of which already have a risk management program of some sort.”
He points to the amount of risk already being carried by the covered entities. “Untriaged and unfixed vulnerabilities often number in the hundreds of thousands. Software is pushed to production without security testing. And systems containing components with known vulnerabilities are rampant. People – and Congress – were outraged when Equifax took months to fix a vulnerable Struts software framework and got breached in the meantime. What they don’t know is that every covered entity is in this exact same situation right now.”
Williams believes the SEC could do more. “They could require disclosure of the security defenses and assurance for each system. They could more directly require specific security outcomes.”
It seems to be a hugely different viewpoint to that of Reiber – but in effect, there is little difference. Williams wants more explicit regulation of cybersecurity controls, while Reiber believes this is already implicit through the breach disclosure rule. The likelihood of a breach (and subsequent investigation) will force the covered entities to have adequate security controls in place or be found in breach of the regulation.
The real problem, and one faced by all organizations in all sectors, is how to have effective and provably effective security controls in place.
Reiber believes that developments over the last few years can provide the answer: MITRE and CISA’s Known Exploited Vulnerabilities Catalog (the KEV list). If – and not just covered entities but all – organizations use MITRE to test each newly CISA-disclosed vulnerability against their security defenses, and can successfully defend against those vulnerabilities, they can adequately prove a serious cybersecurity posture even if they are subsequently breached.
This has the advantage of ensuring security without imposing specified controls. If a MITRE attack definition defeats defenses, there is an obvious necessity to improve or tweak the existing posture. If existing defenses can defeat the KEV list, there is not only less likelihood of being breached, but also a solid argument demonstrating that requirements have been followed even if there is a breach.
The key to this, and perhaps the key element of the SEC cybersecurity proposals (and perhaps all cybersecurity regulations) is the breach disclosure rule.
Related: Investors Pour $200 Million Into Compliance Automation Startup Drata
Related: Do Privacy and Data Protection Regulations Create as Many Problems as They Solve?
Related: Cyber Insights 2023 | Regulations
Related: Mapping Threat Intelligence to the NIST Compliance Framework Part 2
