A CISO primer for staying on the right side of the SEC’s cyber materiality rules

When the SEC charged SolarWinds CISO Tim Brown and his employer with fraud and internal control failure that led to the 2020 supply chain cyberattack, CISOs of public companies collectively shuddered. 

The expected skill, decision-making authority, and transparency of trusted company technology leaders should prevent outcomes like the series of SEC complaints about the deficiencies in SolarWinds’ cybersecurity practices and, similarly, the US Attorney’s Office ruling in the case of Uber’s recent lapse. 

While cases like the above reveal shortcomings, the road that can lead a CISO to trouble is often paved with good intentions, and simply obeying the law may not translate to staying out of jail or facing stiff fines.

The rulings may, unfortunately, deter CISOs and cyber professionals from seeking leadership opportunities, a devastating thought considering the cyber talent gap. On the bright side, others see a potential leap forward now that regulations can free budgets and earn a CISO or CSO a rightful seat at the C-suite table. 

There are many questions that we ought to be asking to know which path we are on. 

Has the SEC issued the controls necessary for compliance? Consider the Sarbanes-Oxley Act. Unlike the SEC ruling on cybersecurity, SOX compliance is well-documented and understood. It prevents company chiefs from abusing their positions to make external monitoring opaque, falsify financial statements, and confuse shareholders. Publicly traded companies must comply with it.

While insider threats are part of the cybersecurity picture, CISOs and their teams face different risks and myriad external threats. Every organization (public or private) has no protection with 100% compliance due to zero-day attacks, the constant development of new technologies used for malicious intent (e.g., GenAI), and failure in social behaviors. There is no silver bullet, be it a solution provider’s product or service, an industry-accepted framework, or the most comprehensive cyber strategy. Any breach can evolve from non-materiality to materiality in days, hours, or even years. 

CISOs, in turn, may have a challenge gaining consensus from the C-suite and the board about whether or not a cybersecurity incident is material and should be disclosed in filings. Four business days after a company determines that a cybersecurity incident is material may not be enough time to collect the data to define the incident’s nature, scope, impact, and timing. 

Given these circumstances, cyber leaders and staff will need to fully understand their ongoing cyber defense posture and then be able to package and communicate it to the business. They must contribute to and share internal control assessments, and risk registers with all responsible parties, including the CEO's Office and board. 

Bet on extra scrutiny and rigor when making a case for cybersecurity investments, whether funding a new initiative or ongoing funding to define the vulnerabilities to be addressed explicitly. If the board, CEO, or leadership team declines, it should be documented where they will assume the risk of non-compliance, not the CISO. Here is where the required disclosure of the relevant expertise of company management responsible for assessing and managing material cyber risks can come in handy. 

It is a new dawn for CISOs at public companies. One where they, like CFOs, will be called upon with the partnership of their boards for periodic disclosures about their companies’ processes to assess, identify, and manage material cybersecurity risks. 

While current industry coverage is spotlighting recent failures, no one is covering the heroics of CISOs and their staff for protecting organizational assets every second of the day, 24x7x365, to the best of their abilities.

However you look at it, the SEC gave the industry a corporate responsibility teaching moment not just for CISOs but all corporate executives, board members, and their risk and legal advisors.

What to read next

Determining and reporting material cyber incidents