Companies Overreporting Cybersecurity Incidents: Experts
Facing SEC requirements of prompt public disclosure of material cybersecurity incidents, many companies are reporting out of fear of violating the rules, sometimes going public with nonmaterial incidents, cybersecurity experts say. In an FCBA CLE Monday, Wiley cybersecurity lawyer Josh Waldman said the SEC's lawsuit against SolarWinds over the software company's disclosure practices seemed like it would trigger vast under- or overreporting, with the latter seemingly emerging as the dominant trend. While there's a willingness among agencies and Congress to harmonize different agencies' privacy, data security and cybersecurity rules, there's not a clear way of doing so, cybersecurity experts said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Pointing to a fear of violating SEC reporting rules, which went into effect 12 months ago, Debevoise & Plimpton cybersecurity lawyer Erez Lieberman said that while companies have four business days from determining an incident is material to report it to the SEC, many are reporting incidents far sooner, even without a determination of materiality. The SEC rules are very different from most agencies' cybersecurity reporting requirements in that incidents are made public, he added.
Wiley cybersecurity lawyer Sydney White said determining materiality can involve an incident's financial impact, but it also can include the impact on customers or the public perception of the company; in other words, elements that may take more than a few days to determine. As such, the SEC is "somewhat disappointed" that companies are gaming cyber incident reporting requirements -- disclosing incidents but also trying to underplay their impacts, she added.
With the DHS' NPRM issued earlier this year regarding requirements for reporting incidents that impact critical infrastructure, Paul Eisler, USTelecom vice president-cybersecurity, said companies have a concern about where it sets the bar for defining such incidents. He said DHS must exclude incidents that don't affect U.S. infrastructure, and it must narrow the trigger for reporting incidents affecting supply chains. The DHS rules as proposed also could lead to overreporting, he added.
David Navetta, Cooley cybersecurity lawyer, said data breaches are often global, and companies can face a complex edifice of regulatory requirements for reporting and responding. The net result, he said, is that compliance issues could distract companies, and they miss the larger picture -- actually safeguarding their systems and data. Navetta questioned whether data breach notification rules -- which are intended in part to motivate companies to improve security -- have actually prompted greater security.
He disagrees that there has been overreporting at the SEC. Instead, a lot of companies have thought judiciously about the materiality assessment rather than engaging in knee-jerk reporting, Navetta argued.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 seemed initially as though it would lead to more universal standards and harmonization of agencies' cybersecurity incident reporting rules, said Brandon Pugh, R Street Institute cybersecurity policy team head. But harmonization has lagged since the act was signed into law, and CIRCIA requirements sit atop other requirements, adding complexity. Pugh is "slightly hopeful" the incoming Donald Trump administration can course-correct and further fine-time harmonization. But, Pugh said, one of the challenges is that no federal agency is empowered to drive meaningful harmonization among other agencies. Navetta said he was somewhat pessimistic about the likelihood of harmonization due to the difficulty of creating a single standard across the various laws.