This article authored by Teri Marlene Prince, CEO of TERIDA, joins us as an expert guest contributor and member of the Digital Governance Council. With a wealth of knowledge in digital governance and a keen eye for innovation, Teri brings a treasure trove of expertise to the table. As a visionary leader in her field, she has carved out a reputation for pioneering advancements in technology and governance. Her thoughts and guidance offer invaluable perspectives at the forefront of digital transformation.
On December 14, 2023, the Director of the SEC’s Division of Corporation Finance made a statement outlining “significant parts of the rational and mechanics …” of the new U.S. Securities and Exchange Commission Rule regarding “material” cybersecurity incidents. The statement included the usual caveat of the Director “[expressing his views in his] official capacity as Director of the SEC’s Division of Corporation Finance, and [that his] views do not necessarily reflect the views of the Commission, any of the Commissioners, or any other Commission staff…” And as usual in the world of governance and compliance, these statements offer a wealth of information that is useful, but they are neither official policy, nor provide information on the current landscape. And, as always, there is a subtext. It is the current landscape that is the reason for cybersecurity regulation, and we may not be paying sufficient attention.
With the Rule’s cyber incident disclosure requirements compliance dates now in effect, TERIDA has been inundated with questions about this Rule in Canada, in the US, in the EU, and throughout the NATO Alliance.
What do we see?
Though the SEC cybersecurity rules are for publicly listed companies and does have applicability to foreign private issuers in Canada, most public companies are reliant on many smaller third-party software and supply chain companies, and a cyberattack at any point along that chain could have a material impact.
And often the larger the company, the more unaware of their suppliers further down the supply chain, and more unaware of what their staff know about the organization. So, when it comes to cybersecurity, the complexity and severity of the risk must be considered from a business risk, technology, reputational, and regulatory compliance perspective. CISOs and Boards must have the tools necessary to mitigate these risks and cannot wait for an event to implement the structure to deal with a cyber emergency.
The Current Landscape?
There is conflict on multiple levels and across multiple domains – air, land, sea, space, cyber, and information, and on a global scale, and an average lead time to detect a breach 197 days, is not just a business issue.
Do we want our corporations, hospitals, schools, courts, and infrastructure to cease to function?
Was the incident at Brookfield Global Relocation Services (BGRS) and Sirva Canada “material”? “According to the Canadian government, the data breach impacts the personal information of present and former public service employees, as well as members of the Canadian Armed Forces and Royal Canadian Mounted Police.” Was the Xfinity Data Breach that Impacts 36 million Individuals material?
What seems to be the current landscape is that the Rule is not just about cybersecurity reporting regarding material cyber events, it’s about the risk to the corporation of material cyber events, and the ability to mitigate that risk by acting now – before there is a material event – and the calls that have come into TERIDA have been from entities who recognize this.
“The US Securities and Exchange Commission (SEC) final version of its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule for public companies for “material” cybersecurity incidents is now in effect with publicly traded companies to report such events to the agency within four business days.
While the SEC’s rule is aimed at providing investors with information on potential risks to replace the inconsistent disclosures of major incidents, the controversial rulemaking has garnered criticism from industry, Republican lawmakers, and some cybersecurity experts.
The implementation of the rule comes at a time when there are few breach reporting requirements, a fact that largely leaves government and policymakers without basic information on the current landscape.
However, critics of the rule have levied myriad complaints, including that the disclosure time is too quick, such information could potentially endanger national security, it is duplicative of existing regulations, and — following the SEC’s lawsuit against SolarWinds and its former chief information security officer for fraud — it places more liability pressure on CISOs.”
— Cyberscoop: Christian Vasquez, December 18. 2023
Law firms and others, by the thousands, have issued privacy & security law blogs and opinions in respect of interpreting and implementing the new Rule. There is no end to the statements of disapproval and overreach in certain sectors, and the intense discussion in the cybersecurity community at CIO-CISO-compliance-risk level as to whether this rule is dangerous (look what’s happened Uber, SolarWinds, and others) or fabulous (finally, cybersecurity will get the attention it deserves).
As one of very few companies with extensive experience in class actions, mass actions, claims, settlements, pre-settlements, distributions, litigation mitigation, subrogated claims – millions of users, billions distributed – going back as far as the Walkerton disaster, we have seen firsthand calls for the use of the FedRAMP and NIST 800-53 standards. These standards could be used to manage and mitigate the impact of the SEC rule effectively, efficiently, and securely, now and going forward. It is important for organizations to follow-up with their service providers on the various credentials that provide confidence in an organization’s management of its compliance, cybersecurity, privacy controls per Canada, US, NATO, EU standards and clearances. Consider NIST, CAN/DGSI, CSPV-SEE, GDPR, DD2345 JCP Certification, CAGE, NCAGE, Canada Secret, and NATO Secret to safeguard your organization and across the supply chain.
TERIDA is an innovative, agile, women-owned-controlled-led regulatory technology solutions provider with offices in Pinehurst, North Carolina; Toronto, Ontario; and representation in Brussels, Belgium. TERIDA delivers award-winning, targeted enterprise cloud solutions via the Terida RegTech Framework – CLASsoft™ from AWS, our Infrastructure-as-a-Service provider with security, continuous monitoring, and inherited controls at every stage of the process. TERIDA RegTech solutions scale for multi-jurisdictional operations and deployment and are covered by a NATO Communications and Information Agency Basic Ordering Agreement, for NATO and all NATO Nations. At TERIDA, RegTech is an all-inclusive term, signifying the depth and breadth of our LegalTech, InsureTech, HealthTech, DefTech, GovTech solutions and experience.
About the Digital Governance Council
The Digital Governance Council is a member-driven organization that acts as a cross-sector neutral convener for Canada’s executive leaders to identify, prioritize and act on digital governance opportunities and challenges. The Council leads an Executive Forum for council members, sets technology governance standards through the Digital Governance Standards Institute and certifies the compliance of Canadian organizations in the management of the effective and efficient use of digital technologies. To learn more about the organization and its initiatives, visit www.dgc-cgn.org or contact firstname.lastname@example.org.
For media inquiries:
Communications and Knowledge Mobilization Lead
Digital Governance Council