How to Prepare for the SEC Cybersecurity Rules Before December 2023

talks and without further Ado we'll get started with the next one like to introduce dick Brooks speaking on how to prepare for the SEC cyber security rules before December 2023 so dick take it away thank you Roman can you guys hear me okay out there okay super so uh Jim thank you for taking us into the exciting world of AI I'm going to take you into the less exciting world of regulations yeah everyone try to contain yourselves now uh but uh let me just go ahead and get started here so uh as Roman said my name is Dick Brooks I'm the chief technical officer for Reliable energy analytics uh we're a very small software engineering firm uh that's been around since 2018 located in Westfield Massachusetts uh we're the developer of cyber security risk assessment tools U our main product is is called the software Assurance Guardian pointman uh and and when people ask me what exactly does Rea do and uh I I have to use an analogy uh so have you have you seen the movie Titanic you guys seen the Titanic uh you know the guys who are up there in the bird nest looking for icebergs the ones who are looking for risk that's us that's what we do we look for risks in the software supply chain and so um that's that's largely what our company does uh and we work for companies to help them identify those risk proactively um I'm also very I'm also very active on some sisa uh initiatives um the the critical manufacturing sector coordinating council is one that might be of interest to some folks here we have a tabletop exercise coming up uh but let me get down into uh what's really going on here so the SEC has been talking about cyber security regulations for a couple of years now uh and so last year they uh sort of let people know look we're getting serious about this directors and officers are going to be held responsible and so uh those rules are now codified in the code of federal regulations and they take effect in December of this year and so what it means is the big change uh that that's being presented is um when a cyber incident occurs a material cyber incident and I'll get into that in a minute uh you have four days to report it on an 8K so it's important to know when does the clock start ticking on the four days uh and that's a that's an area that's getting a lot of discussion these days but I'll offer you some thoughts on that as well uh but when the other thing they do is they require uh officers and directors to take direct ownership for for cyber security processes and they regard they require that information to be shown in a public disclosure called the form 10K so uh what that means is that uh before officers and directors could say gee I wasn't aware that we didn't have cyber security processes in place uh and so when a cyber incident occurred they had sort of a way of saying you know don't blame me I wasn't aware uh so that all changes in December now the disclosures will need to identify the officers and directors in their responsibilities for these regulations so if you're in the cyber security business you're no longer left out hanging alone to dry you now have uh in the boat with you a couple of officers and directors to be right by your side uh and yes sir this is not sees the is the entire organization's sea levels are now responsible for this directors and officers is the way they describe it so if you're on the board of directors uh you will have to disclose in your form 10K what role you play in terms of oversight and if you're a manager or an officer you will need to uh disclose what your role is with regard to cyber security this is a huge difference so I I have apologize for this I know it's a it's a hard one to see but this came right out of a Harvard Law School article that I thought was really good it basically boils down what I just told you uh the first one is that uh there's the disclosure requirements in a in a form 10K uh as you can see that registrants must describe their processes for assessment identification and management of material risks from cyber security threats and this is where the officers and directors need to be the owners of that process as you can see in item 106c it says describe the board's oversight and Management's role in assessing so to this gentleman's question it is very direct in putting the officers in directors in the driver seat on cyber security uh a form uh 8K is also required as a means to report on a cyber incident uh many people of I'm sure many of know that a lot of cyber incidents occur and they never you never hear about them the ransom is paid and it goes on silently that won't be the case anymore with these new regulations uh companies will be required to report a cyber incident within four business days so with this talk uh the goal of this talk is really to describe the processes and practice practices for cyber risk detection within within the software supply chain and here I'm very precise software supply chain is just one aspect or one of the Avenues that can be used to carry out a Cyber attack so that's that's what the focus is here today uh and we'll also talk a little bit about the need to uh preserve evidence that those practices are in fact in use if you say they're in use and you can't prove they're in use then you may have a little bit of challenge yes sir um you may get to this what is the requirements around public is is this is it reported to the government is there level of confidentiality that's guaranteed with reporting of the government or is there an expectation that the incident will actually make its way to the public that the incident had occurred okay good question sir so the answer is that a Form 8K which is how you report an incident is public and the the regulation is very clear in this regard telling you don't put technical details in the public disclosure the requirement is to give information to shareholders that would be considered material and they're making an investment decision so is it going to have a financial impact that's going to be in the Form 8K uh is are you going to disclose what your incident response plan is no definitely not so that's a big difference here is that K is public and you need to make sure that the information that you share is indeed worthy or or you know for public use AK is the like what is your policy you're supposed to report an actual incident yes sir yes that's not AK the AK is not the actual incidents right no the AK is the form used to report an incident oh it is yes it is oh okay yeah they're pretty in fact like I can if I knew how to go back I could show you that uh but you see the third bullet down here I can't really point to it but you see right here is the Form 8K regist de close their incidents on the cool thank you yes sir any other questions on that guys because that one's been getting a lot of air time these days okay the other question I get a lot is how long does it take to implement these practices for cyber security uh you know software supply chain risk detection and I'll get into that as well and I I do want to point out that the the SEC disclosures require much more than what I'm covering here today guys I'm only really talking about the software supply chain but there are other processes you will need to to disclose in your form 10K uh that go beyond what I've got here for you today I go into a little bit of that so the key message for you today is that management is respons responsible for cyber security you are no longer left alone to hang out uh when a cyber incident occurs you got someone right there in the boat with you y but now they're just going to tell you what to do not gonna help you much but they're gonna tell you what to do uh but one of one of the keys here and this is an area that a lot of people at least what I've found aren't really covering their bases is in this area known as sisa known exploited vulnerabilities so one of the critical uh uh understand keys to understand with these risks is that need they need to be considered what the lawyers call I'm not a lawyer I'm a software engineer they call it Primacy evidence of real cyber risk and so what kevs are Primacy evidence of real cyber risk these are real software supply chain exploits that are being used in the wild that have been observed to be successful in the wild so they are real risks uh and now directors and offices can be held personally liable in a shareholder lawsuit uh in the event of a cyber incident uh that's the other thing that happens with with these with these in this information the AK tells the shareholder that an incident has occurred within four days of it happening and then they can go look at the uh at the processes that were used by that company to see if they were doing all the right stuff and if they weren't doing the right stuff then that's opening the company up and and the officers themselves for a a lawsuit called the kar lawsuit uh that could seek to hold them personally liable when those incidents occur and you think like okay the stock price dropped that' be something a shareholder might want to you know sue for in terms of recovering their losses and again I'm not a lawyer so is is holding the directors of the organization personally liable a standard thing in the industry or is this is the first time that the shareholder like not not cyber security but in general for stock price dropping is this a standard you can hold the directors liable personally liable or is this the is it only in cyber now that you can hold them personally liable so I I don't know about you know other things like if the house burns down uh but within the context of of cyber security uh we have actual evidence real lawsuits have occurred Home Depot back in 2015 had an incident where they had stolen data and it resulted in some pretty pretty significant losses to shareholders and they did have a care Mark lawsuit now it did not Prevail uh I don't know all the details about why it didn't Prevail but with this information that the SEC is now demanding it may be a little bit more difficult to uh to you know get your wiggle your way out of a lawsuit if indeed all of your disclosure is out there what you're what you are doing to prevent cyber attacks and then reporting that the Cyber attack actually occurred it raises the bar a little bit the other thing that seems to be happening yeah I'm not a lawyer but the other thing is apparently cyber insurers maybe my friends here from aen will say something at the back uh they're they're starting to do some checking to see if companies are indeed following regulations before they will issue cyber insurance policies that's correct right sir as far as I know I'm not part of the broking team but as far as I know yes yeah so here's another case where these new regulations you know not only can you be subject to a shareholder lawsuit but you may be you may find it uh it it's required in order just to just to get your cyber insurance policies through the loop so there's there's a few things that are tied to this that you may want to consider okay so as I mentioned you're going to need to you know document the processes in these disclosures in a form 10K and then you have four days to report on the uh the incidence when they do occur and it's vitally important that you maintain camper proof evidence that these controls are in fact being implemented so this is when it gets a lot of air time too cyber risk is business risk and you can ask either of these two guys I don't have Caesars up here but they would also I think be willing to stand on the line and tell you that they experience it as well uh as I think a lot of people are aware what happened with MGM recently and and Clorox as well they had to announce uh in a in a filing the in an AK filing that they were also going to suffer from losses uh there is a this as proof for this is there is a Caesars lawsuit that is underway right now uh you can see it was filed back on the 15th of September and as far as I I have heard firsthand knowledge I've heard there are now five lawsuits that have been filed with regard to the two casinos so remember I said that cyber security is very broad it's also very deep so the regulations and the processes for cyber security go beyond just software supply chain and you know you look at the N CSF and it gives you a sense for just how broad it really is and how deep you need to be aware of these risks and the processes you need to put in place which are basically around what this CSF attempts to describe for you a framework for weird to place your processes this is an ey chart on purpose guys what's on what's on line 17 anyone see that anyway okay so you're probably familiar with the attack framework the miter attack framework this is just more proof to show you this is a very Broad and very deep problem that needs to be addressed and and this is why you need to ensure that your uh disclosures contain enough information to show that you're doing your due diligence across the board so as I said the software supply chain is just one area to cover uh you know Sis Sis kevs are essentially that Primacy evidence or proof that cyber risks in the software supply chain are real and so uh it's imperative that uh you know uh that the company look at this software supply chain and have processes to detect those risks remember the icebergs that's what this is about it's someone out there in this case sisa has said hey guys we see an iceberg it's about 20 miles in front of you but you're being told about it right now so that you can take preventative action now there are other risks in the software supply chain like software supplier risks uh you know we all know what happened with solar winds and how they were using offshore uh develop engineering teams to develop software and they got banged with that but there are other concerns as well like provenance and use of open- source software um and the other thing too is important and actually sisa just made a major announcement this week um about vulnerability disclosure companies are going to need to disclose their vulnerabilities Within in a certain time frame and so uh this is a this is becoming an even more important matter sisa has been authorized to create uh uh regulations not regulations but recommendations to implement a law called cersa which is an incident reporting law that uh has been announced recently to uh to specify that it's a three-day reporting requirement so SEC has four days but Cia May Trump that with three days uh this is a slide that I was given permission to show from uh the Augusta Group which I thought was really excellent it goes to that point about having multiple uh avenues that you need to address or multiple functional areas when you are describing your processed disclosures for cyber security so you can see supply chain is one vulnerability and Patch is another but you know there are many others U you know incident recovery is a great example of one here where you need to be able to show that you actually have an incident response plan in place otherwise you'll get dinged again because you failed to have something reasonable in place so uh I I love this slide because it feels like this sometimes these cves come at us like like a swarm of mosquitoes and so knowing which ones you should focus on uh is important and that's what the sis kevs do is they tell you of all the cves crossing your desk which ones are the ones that are most likely to cause problems or risk in your environment and so they give us that you know early warning system I think of as a doler radar say this thing is coming at you and it's really causing damage so you need to take action now so what does a typical process look like uh and it has a lot uh can is are people familiar with the term es bomb here esbon software Bill materials good yeah Alan fredman has been out banging the drums for years about this so yeah so it's gotten a lot of mainstream attention but it is a key point because it it is it describes all the components or at least hopefully describes all the components in a software product and with that information you're able to conduct the risk assessment so you can do things like U you know look for sis kevs at the component level and you can um you know you need to be able to verify the provenance and that's where you know verifying the download location of where you acquire a software package from is part of the evidence that needs to be preserved so that you can show parties that you actually did do this provenance check uh as part of your process uh but you also have other steps these aren't as automated like for example uh vendor verification is one uh you want to know what cyber security practices and policies your software vendor is implementing you want to know that they've done their due diligence as well and are working to protect your interest in the software they're providing to you so knowing what their sdlc processes and practices are is also important so that you can assess the level of risk that they may be introducing into your environment and after you've uh done all all of these checks uh you need to preserve your evidence uh and then eventually you get to the point of saying okay do we have a material incident here because that's where the regulations come into play uh and and you need to you know determine whether or not you have a material incident now some of these are easier than others to determine right um the two most common cyber incidents that I'm aware of are ransomware and data theft and the beautiful thing about both of those if you can say beautiful uh is that number one the hackers the perpetrators tell you when they you know had introduced you a breach into your environment they've attacked you and they've succeeded and number two they give you a ransom note that tells you how much you need to pay in order to solve the problem so here we have two things and this goes back to that four-day trigger number one you're notified you have the event and number two they tell you the cost to to recover from that event or at least get your keys back take keys to decipher or decrypt the D data so here you have the two things that are required to report a cyber incident with the SEC you know that it occurred and you know that it's material because this The Ransom note tells you what the material impact is so that that's where this the four-day clock really starts ticking uh this just goes through a little bit of the chain of evidence the you know the chain of custody for preserving camper proof evidence uh you know basically once you create your risk assessment evidence data you want to make sure that it's preserved in a tamper proof format so that you can present that in court if the day comes when your you know your your directors and officers are facing a a lawsuit you're going to want to present this evidence using a third party that says these you know this party is testifying on our behalf that we have produced this evidence of our processes is there any yes sir is there any guidance on what that evidence looks like right and is that evidence only provided to the public you know during Discovery in a lawsuit uh uh so the I I think the answer to the second question about discover in a lawsuit is yes I don't think that's public um as far as what to report this this has been another area of concern if you look in the SEC regulations and the comments that we received people were looking for a safe harbor Amendment so they were looking for something that said if I do a b and c do I get out get out of jail card by doing those that would be the evidence show me the ab and c and uh the SEC waved their hands on this and said oh no no no we we're not going to give you that you just do the right thing or what they call good faith compliance and show us that you are which means you really kind kind of take it upon yourselves to say