Caught in the SEC dilemma: what should CISOs put in their "honest" 10-K?

The new SEC cybersecurity disclosure date is here. US public companies must provide cybersecurity disclosures that comply with new SEC regulations in 10-Ks filings starting December 18, 2023. Smaller companies have another 6 months. For CISOs, this is the advent of truly worrisome territory.

The backdrop of the new rules is the SEC’s position against SolarWinds. The SEC has charged that SolarWinds included “only generic and hypothetical cybersecurity risk disclosures” in their filings. For example, SolarWinds claimed their “password policy covers all applicable information systems, applications, and databases [and we] enforce the use of complex passwords” and “access controls to sensitive data in our databases, systems, and environments set on a need-to know / least privilege necessary basis.” Per the SEC, these filings were misleading because they claimed strong cybersecurity practices while insiders knew that the reality was different.

Was the SolarWinds 10-K particularly bad? An analysis of just over 8,000 10-Ks (and amendments) filed with the SEC between Dec 15, 2022 and Dec 15, 2023, shows these facts:

• 46% of these 10-Ks had boilerplate language similar the SolarWinds disclosures.
• 23% of 10-Ks just included boilerplate safe harbor disclaimers about “substantial risk from cyber attacks” but did not quantify the risk or describe how cyber risks are managed.
• 31% of 10-Ks had no cybersecurity disclosure.

Now, we don’t know how much of this language was written by (or approved by) CISOs vs others, e.g., legal counsel, external consultant, risk team. With the new SEC requirements (summarized in Table 1), companies are required to accurately describe the methods they use for “assessing, identifying, and managing material risks from cyber threats”. The language used previously in 10-Ks is no longer acceptable. In the light of the SolarWinds case, it also appears that just putting in boilerplate verbiage is likely to get CISOs in deep trouble.

So, what should CISOs do? Of course, nobody should be putting in false disclosures in SEC filings. At the same time CISOs are deeply concerned about putting out any information in the public domain that would make cyber attacks easier to perpetuate.

Now, a perfectly accurate 10-K cybersecurity disclosure, perhaps one written by your cybersecurity operations lead, might go like:

The honest 10-K cyber disclosure:

1. We don’t have an accurate inventory of the software we use. Our CMDB is only 30-50% accurate, and we don’t do a good job of tracking who owns what. We have deployed 25+ security tools, but the exact coverage is unclear. Attackers go after the weakest link, and we can’t properly assess about 15-25% of our environment. 
2. The mean-time-of-arrival of new exploitable vulnerabilities (14 days) is far lower than our mean-time-to-mitigate (154 days). We have a big backlog of unpatched vulnerabilities (23 million vulnerability instances) leaving us highly exposed to compromise.
3. We also cannot systematically assess the effectiveness of our security controls, on a vulnerability-instance by vulnerability-instance basis. This requires computational capabilities that we do not have. Instead, we rely on our team doing this assessment on a qualitative basis.
4. We score cyber risks as High, Medium, Low and on ordinal scales of 1-10. We know this risk scoring is subjective. We struggle to demonstrate the ROI of our security investments and the criticality of our risks and control gaps to risk owners, our senior leaders, and governance committees. These conversations are more emotional than data-driven, and the results are not satisfactory.
5. [Some of you may say] We have had an in-house project to build a cybersecurity data-lake for 5+ years, which has failed to deliver the desired results. We have a budget ask to invest in new age AI-powered techniques to address these problems, but this has not been approved yet due to the current economic conditions. Our company has decided that all new investments must be funded by cutting existing tools spending. Unfortunately: a) AI-powered tools are more expensive than legacy tools b) we need to maintain our current coverage before the new tools are deployed and proven to be effective.

Reading this, you are probably shaking your head. OF COURSE, YOU CANNOT PUT THIS IN YOUR 10-K! While many of the facts above may apply to you, no one in your c-suite is going to allow this type of disclosure to go in your 10-K. And yet, as we are finding out, the SEC intends to hold CISOs accountable for any gaps in the “10-K risk” and “actual on-ground conditions”. There is only one way out.

First make sure your CEO, CFO and GC see your “honest 10-K disclosure” along the lines above. In writing.

Then draft your “target 10-K disclosure” along the lines of the sample below. This is the defensible and honest verbiage you can actually put in your next 10-K (with a little supporting effort).

The defensible 10-K disclosure you want to write

1. Our information security program manages cyber risks based on materiality. The notion of managing material risks in a timely manner drives all tactical and strategic activities of the infosec team (other than activities for regulatory compliance).
2. We have made significant investment in systems and processes to continuously analyze data from all our relevant cybersecurity, IT and business tools. This “materiality determination system” helps us:
   • maintain a comprehensive inventory of all our assets, applications and users across our enterprise and includes on-prem, cloud and mobile systems
   • assess cyber vulnerabilities and risks in a consistent manner that considers not only the severity of vulnerabilities, but also threat level, exposure of systems, effectiveness of security controls and business criticality of assets and apps.
   • keeps track of the cyber risk owners of each asset and application.
   • calculate cyber risk (in dollars) continuously asset-by-asset, group-by-group in a bottom-up fashion, to derive the total cyber risk of the enterprise.
   • surfaces next best steps to reduce risk.
3. Since the data load (from our tools, external feeds, business input) to properly monitor our entire enterprise is over a petabyte/day, we make extensive use of automation and AI to analyze and model this non-human scale data into a form where our human stakeholders can make the final determination of materiality. (Figure 1) 
4. The cybersecurity framework we use is the NIST Cybersecurity Framework. Our materiality determination system performs the Identify and Governance function. The materiality determination system drives the other functions of cyber risk management: Protect, Detect, Respond and Recover.
   • We dispatch next best steps for mitigating material risks immediately to the appropriate risk owner, who are responsible for corrective action. We incentivize owners for quick action. 
   • Our materiality determination system drives the decisions we make about the protective technologies we invest in. We use this system to evaluate the effectiveness of our protective tools and gaps in coverage, and then make appropriate changes to our tools portfolio.
   • Our materiality determination system enables us to understand which of the incidents we discover in our SOC are material. Investigation of events related to material assets and applications or related to critical users are prioritized over all other investigations. When a material incident is discovered, we have a process in play to remediate or mitigate the issue, and file an 8-K with the required information. Our overall objective in these cases is two fold: a) minimize the impact of the incident and b) see what adjustments are necessary in our cybersecurity program.
   • We benchmark our risk owners against each other continuously and provide live feedback to the risk owners. We also benchmark our business units against each other on how well they manage material risks.
5. We also use our materiality determination system for third-party risk management (TPRM). Recently we modified our TPRM system for all our existing and prospective vendors to disclose how they define and manage material cyber risks, in addition to the 100-point questionnaire we have used previously. We now also require our third-party vendors to submit monthly reports with key metrics about their infosec programs. If a vendor is unable to meet our program requirements on managing material risks, we either look for an alternate vendor or take explicit measures to ensure that any adversarial cybersecurity event at such a vendor would not have a material impact on our company.
6. Governance of our materiality determination system and the overall cyber risk management program is provided by our Cyber Risks Executive Committee consisting of our CISO, Chief Risk Officer, CIO, CFO, and CEO, with guidance and input from legal counsel and our external auditors. Daily tactical decisions and tasks are implemented by operating infosec team leaders, business unit owners, individual risk owners.   
7. Governance of our overall cybersecurity program at the board level is provided by a board subcommittee dedicated to overseeing cybersecurity risks. Our Cyber Risk Executive Committee confers with our board committee on a regular basis, at least once a quarter, and on as needed basis as required.
8. [Safe harbor statements] We recognize that our materiality determination system is not perfect, but we believe that a systematic, data-driven system for quantifying and tracking cyber risks coupled with human judgement is better than an approach that relies on just human judgement. We recognize that at any point there will be technical limitations about some cyber risks we can discover or assess, but we continuously strive to make our system more comprehensive and accurate. We also recognize the economic infeasibility of fixing all known issues immediately. The complexity of software in general, the huge reliance of our company on third-party providers who have struggled for decades and continue to struggle to provide secure software, the relentless innovation on part of attackers, and the persistence and practically infinite resources of nation states means that from time-to-time our proactive protective measures may not be enough to prevent a cyber breach at our company. All this said, we continue to strive to minimize the material impact on our company for such events. 

As you can see, the crux of being able to write such a 10-K is getting a very good handle on the materiality of cyber risks in a way that combines analysis of your cybersecurity tools and threat data with human judgement (Figure 1).

Here is a possible go forward plan for you:

1. Get funding and immediate approval for projects to fix all known gaps you know about in the Identify function of the NIST cybersecurity framework. Invest in a commercially AI-powered cyber risk management system (e.g., Balbix), and make that system the foundation of your materiality determination system. Without this foundational element in place, your cybersecurity program is just a patchwork of techniques disconnected from business risks.
2. Then rewire your vulnerability management, protective controls, incidence response, as well as your respond and recover playbooks to be driven by your materiality determination system. See Figure 2. 
3. You must convince your c-suite colleagues that the R component of GRC must take front and center in terms of mindshare and funding. GRC in the context of cybersecurity can no longer be just about compliance.
4. Get your two governance committees in place. Make sure your committee members have appropriate training/experience and context to do their job.
5. Both authors are big believers in quantifying cyber risks in dollars. That said, we can accomplish a lot of the above with a consistent quantification of risk to a non-dollarized risk score, at least in the interim. You may be able to avoid a few objections from your stakeholders which can slow down your overall program. Once you have the rest of the materiality driven system in place, you can revisit dollars.

Some parting thoughts: First the bad news. The SolarWinds case is not just about one CISO or one company. It is an indictment of most US public companies. Boilerplate cyber disclosures in 10-Ks will not work anymore. On the face of it, CISOs are stuck between a rock and a hard place!

But there is a way out. It’s not easy but not impossible. Rewire your cybersecurity program to be centered around managing material risks using a framework like NIST.

[Disclaimer: this is Logical Advice, not Legal Advice]