Navigating the Cyber Security Regulatory Maze: Balancing Incident Response, Breach Disclosure, and Compliance in the Cloud Era

Amidst the rapid migration to cloud and the persistent cyber threat landscape, businesses face a formidable task of managing cybersecurity incidents while adhering to increasingly complex regulatory and reporting requirements. From ransomware to state-level attacks, each incident requires a tailored response, demanding rapid and automated access to, and preservation of, critical data before it is no longer available.

The Cybersecurity Regulatory Landscape

In a recent roundtable discussion led by Ollie Smith, COO of Cado Security, we delved into the intricacies of the regulatory landscape as it relates to cybersecurity, focusing on the SEC's "Final Rule" on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This discussion, and a range of other discussions we have held recently with security leaders, highlighted the challenges and opportunities presented by these regulations specifically for cloud environments.

Cloud-Specific Challenges

One common challenge that emerged during these discussions was the ability to swiftly detect and respond to security incidents in cloud-based environments. With data scattered across many different resource types including containers and other ephemeral assets, legacy approaches are struggling to keep up. Having access to the right data to answer critical risk-related questions has become extremely complex but is essential for accurate incident reporting.

Cyber Risk Management Programs

The discussions also examined the effectiveness of cyber risk management programs and whether they should be disclosed to investors as required by new regulatory requirements. Determining the materiality of a breach or attack can be complex and should involve various stakeholders, including the CFO, General Counsel, CISO, CIO, and front-line business leaders.

The SEC's new rules highlight that "a lack of quantifiable harm does not necessarily mean an incident is not material." Therefore, organizations must be prepared to justify their materiality determinations with robust documentation detailing their processes and considerations.

• Public Disclosures: Another crucial aspect of the discussion was how much information companies should disclose in the public domain about a cybersecurity incident and their risk management strategy without introducing additional and disproportionate risk to their business. Striking the right balance between transparency and security is essential.
• Materiality Determinations: With the responsibility for materiality determinations and disclosures ultimately falling on CEOs and CFOs, CISOs and Security Leaders, it's critical that these decision-makers have timely access to the information they need. The challenge lies in maintaining confidence that the determination process will not cause unreasonable delays.
• Reporting Timeframes: The discussion also touched upon the requirement to report incidents within a four-business-day window. The clock starts ticking when a cyber security incident is determined to be "material" and organizations must navigate the challenge of providing timely disclosures while ensuring their incident response processes are thorough.
• Related Occurrences: Also discussed was how the final rule removed the requirement to aggregate disparate non-material risks to determine if an 8-K disclosure is required. However, it still mandates the reporting of related occurrences if they are deemed material. This introduces complexities in managing and reporting multiple interconnected incidents.
• Cyber Governance and Reporting: Another topic discussed was how the SEC's final rule requires a description of the board's oversight of cybersecurity risks in the 10-K. This means boards must allocate responsibility for cybersecurity risk oversight and establish processes for informing board members about these risks.

The Positives

A surprising number of positive points were also raised about the new legislation. There has been plenty of forewarning about the legislation with the first indications of this regulation in 2011 and a more official notice of it in 2018 so for the past five years the industry has been taking this seriously. This means that the majority of those impacted (that we spoke with) feel that they are well prepared to deal with these ‘new’ regulations. Meaning that while there has been a lot of noise about these new regulations, those that they actually affect feel like they aren't going to be a problem.

Historically, there was a general feeling that the buck has always stopped with the CISO when it came to cybersecurity and breaches, but now with the new legislation the process involves the collective responsibility of the whole leadership team, especially around the point of determining materiality. This has led to better risk management frameworks, better and more consistent board oversight, and more comprehensive policy and process being in place – not to mention increased budgets. 

Another positive is that as these new regulations are at the federal level, this could lead to a consolidation of regulations as a number of attendees raised concerns around state-level regulations that – while not directly connected to this bill – were different across the country and complying with those was actually much more complicated. A common approach mentioned was to comply with the more stringent state-level disclosure requirements (such as those of California) creating a deliberately high bar across the US in an attempt to simplify the response and disclosure process. 

Unintended Consequences 

An interesting point that was raised by one CISO we spoke with was that even though they followed the reporting guidelines and were praised across the industry for their transparency and their response in the event of an incident, their cybersecurity rating (by an industry leading cybersecurity ratings company) was negatively impacted as the rating agency appears to take any 8-K cyber security filing as a negative regardless of its content. Moreover,  as this company made 2 x 8-K filings there were penalized twice – even though both filings were about the same incident. 

Mastering the Cybersecurity Compliance Challenge: Striking the Right Balance

As the regulatory landscape continues to evolve, the ability to navigate the cybersecurity maze is becoming increasingly challenging. Businesses must balance their incident response, breach disclosure, and compliance efforts to meet the stringent demands of cyber security law. With cloud environments adding complexity to data accessibility, organizations need to rethink their strategies and prepare for the unexpected.

This roundtable, as well as our wider discussions, highlighted the significance of cybersecurity risk management programs and the materiality determinations involved in breach disclosures. Organizations must be prepared to provide justifications for their decisions and maintain confidence in the accuracy of their reporting.

Furthermore, the rapidly changing cybersecurity landscape requires businesses to embrace a more comprehensive and integrated approach, moving away from reactive risk detection. The final rules present an opportunity to enhance cyber security outcomes in a positive way, but organizations must ensure their readiness to comply with the new regulations and that they have robust procedures in place before an incident occurs, as the clock starts ticking as soon as an incident is detected. Additionally in an era where everyone has a footprint in the cloud the need to adopt a cloud-native approach to ensure the right level of visibility across all environments.  

In conclusion, the cyber security regulatory maze continues to challenge CISOs and Security Leaders. Navigating this landscape requires a delicate balance between compliance, incident response, and breach disclosure, all while adapting to the shifting landscape of cloud-based environments. The discussions shed light on the complexities and intricacies that organizations must address as they chart their course through this evolving terrain, here we only touched on SEC, GDPR and US state-level disclosure but there as other significant pieces of legislation that must also be included DORA, NIS2 and HIPPA just to name a few and for global companies there are even more to consider.  

How can Cado Help?

The Cado platform offers cutting-edge solutions for immediate forensic investigations, enhancing cloud security. The Cado platform simplifies and accelerates investigations of cloud-based incidents. In addition, the platform offers an Incident Readiness Dashboard that enables organizations to proactively test their ability to rapidly respond to active threats while continuously optimizing their cloud incident response program.

Want to learn more about how Cado Security is helping organizations perform forensics and incident response in the cloud? Schedule a demo here.