Next week on December 18, a new rule from the Security and Exchange Commission (SEC) goes into effect, codifying what investors, channel partners, Congressional lawmakers, businesses and others have been saying all along — cybersecurity risk is business risk.
There are implications here for MSSPs, MSPs and their end-user client companies. There are also potential revenue opportunities for cybersecurity service providers. Here’s some background about the new regulation.
The SEC Disclosure Rule: Background
The new regulation is going into effect approximately five months since the SEC voted on to approve the rule 3-2 along party lines. It requires registrants to report a security incident in an 8-K document within four business days and also to disclose on an annual basis “material” information regarding their cybersecurity risk management, strategy and governance to better inform investors. Before this regulation there had been no federal breach disclosure law that explicitly standardized the particulars.
The rules include other requirements, but incident reporting and materiality sit at its apex. The SEC says the information is material if a reasonable person would consider it important when making an investment decision, or if it would significantly affect existing publicly available information about a company. It’s worth mentioning that the naysayers saw the SEC's moves as micromanaging.
Considering industry as a whole often moves as slowly as a turning battleship, this is, relatively speaking, zipping along at warp speed.
Smaller publicly-held entities will have to comply with incident disclosure requirements by June 15, 2024.
Following the July vote, Lesley Ritter, senior vice president for Moody’s Investors Service, said in what will likely prove to be a prescient statement: “Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources.”
Meeting the SEC’s reporting mandate requires bringing a host of stakeholders to the party spanning the C-suite — CISOs, CIOs, CTOs, CFOs, CEOs — and legal, the board and internal auditors. In other words, it won’t get done without circular collaboration.
The SEC Regulation’s Impact on MSSPs, MSPs
How will the agency’s incident report regulations affect managed security service providers (MSSPs) and managed service providers (MSPs)? One fresh study gives us some clues.
Midway between the SEC’s adoption of the regulations and the deadline for implementation, in a Deloitte poll of some 1,300 C-suite and other executives at public companies, 65% said their organizations will strengthen their cybersecurity programs.
What's more, over half of executives surveyed will also push their third parties to strengthen cyber programs (54%) in response to the regulations.
Of particular note for MSSPs and MSPs, about one-third of the respondents have evaluated communications with third party service providers and one quarter are in the process of evaluating the same.
These are revealing figures for MSSPs and MSPs in that, to a degree, it’s a stamp on their relevance. Who better to guide companies of all sizes through a process of determining and investigating a cyber incident and to assist internal security teams?
MSSPs, MSPs Need to Evaluate Risk
“Both types of providers should be looking through the risk lens, for sure, not only internally first, but also with their clients,” Wayne Selk, CompTIA security programs vice president, told MSSP Alert. “For those to whom this rule applies I suspect they will be evaluating the risk from their clients more.”
None of this has come without difficult questions. What stands out so far is the seemingly ubiquitous issue of what counts as "material."
“The determination really focuses on materiality, not whether or not the organization knows the full extent of the incident," Selk said. "It will be interesting to see how the SEC determines 'you knew materiality on this date, yet you reported on this date.'”
Determining Materiality: Another Potential MSSP Opportunity
MSSPs and MSPs will likely be involved in the determination of materiality, “especially if they are managing the infrastructure, either from an information security or information technology perspective, involved in the incident,” Selk said.
Assessing materiality isn’t a standalone process, suggests Matthew Corwin, managing director at Guidepost Solutions, a compliance, investigations and security risk management consultancy.
“What's important to understand is that action of making that determination and maybe making that filing is not going to happen in a vacuum," Corwin told MSSP Alert. "it's only going to be possible for it to be done effectively after a risk-based security program has been implemented that's mapped to the actual specific risks of that firm.
“And then it's been in place and tested, ideally, from an incident response perspective, prior to any actual incident happening. That's going to be what's critical for any company to successfully implement these requirements. It's not something that they're going to be able to just jump in and do after an incident already happened. It's something that needs to be prepared for over time and there's some significant runway to that."
The Revenue Opportunity for MSSPs
Whether or not the reporting requirements will yield revenue opportunities for MSSPs and MSPs is still an open question, according to Selk.
“Good money versus bad money is the revenue opportunity,” he said. “Good money means you and the client are working together to minimize the impact of an incident. This leads to high quality clients focused on a security-first culture and doing the right thing when it comes to protecting themselves.
"Bad money means you keep high-impact, low reward clients who are not interested in working together. Bad money also means your organization is not growing and may even be losing money.”
In what may have served as a prelude to a use case for the incident and material reporting regulation, last March, software company Blackbaud agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware attack that impacted some 13,000 customers. In July 2020, the South Carolina-based provider of donor data management software disclosed a ransomware attack and said the attacker had not accessed bank account information or Social Security numbers of donors when it had in fact accessed and exfiltrated that data.
That scenario as applied to publicly held companies is the outline of the SEC’s reporting rules.
Perpetrator Turns in Victim for Not Reporting Breach
One company may find out the hard way that the SEC regulation isn't failsafe. In a new extortion twist, the rules may have allowed a notorious ransomware group to simultaneously play cop and robber. According to a blog post on databreaches.net, earlier this month, in an audacious move worthy of only the most brazen criminals, the ransomware group AlphV (aka "BlackCat") allegedly filed a formal complaint with the SEC, claiming that one of its recent victims failed to comply with new disclosure regulations.
In what appears to be a first, AlphV appears to have reported MeridianLink, a digital lending service, which the attackers said was aware of the break-in the day it happened, to the SEC for failing to adhere to the new regulation, according to the databreaches.net post.