New SEC Mandate on Cyber Incident Disclosure is a Crisis Communications Game Changer

“Death, taxes and security failures.”
— NETSCOUT CISO Deb Briggs on the new third certainty in life

The fundamental rule of thumb for crisis communications has historically been three-fold:

1. Move quickly.
2. Act decisively.
3. Communicate transparently.

In the best cases, crisis response/communication is a “one-and-done” exercise. When completed thoroughly and satisfactorily, an affected organization and its stakeholders can put the incident behind them and immediately proceed to the business of reputation restoration.

Yet when said crisis involves a cybersecurity incident or data breach – which are often multi-faceted and ever-changing situations – the stakes often run higher, and the rules are different.

On July 26, these rules changed yet again when the Securities and Exchange Commission (SEC) – after a lengthy debate – adopted new regulations requiring publicly-held companies to disclose all cybersecurity incidents determined to be “material” within four business days. Taking effect Dec. 15, the new rules also require details on the nature, scope and timing of the incident, as well as the “reasonably likely impact of the incident on the organizations’ financial condition and operations.”

To some, this may sound draconian and a case of “too much and too fast.” The recent Clorox breach has caused considerable consternation among CISOs and the C-suite alike, and it’s emerging as an early precedent-setter as the Wall Street Journal recently reported. But if you think it’s unnecessarily expedited, consider that in India, reporting is required within six hours of discovery!

What drove this mandate? SEC Chair Gary Gensler summarized it this way:

“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”

But what does this mean for cybersecurity executives and communications teams? I recently spoke with several C-level executives in cyber and legal roles about this white-hot topic. Most were quick to offer support for the SEC’s actions, and they note that they are preceded by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) regulations that also require organizations to disclose breaches promptly.

Unlike the SEC mandate, GDPR and CCPA apply to both public and private companies. However, it is quite likely that privately held companies will sharpen their disclosure policies to be more aligned with their publicly held brethren, our sources note. And they stress the point that every publicly held company has an ecosystem of public and private partners, suppliers and service providers which will need to up their game with respect to increasing their overall security posture and ensuring compliance with security event disclosure.

NETSCOUTS’ Deb Briggs, when asked about the differences between well and poorly-handled crises after cyberattacks, explained, “It’s all about how you respond. Ensuring brand reputation is a risk, one that is really hard to measure until it happens. We want the business to think about these scenarios and prepare and be ready to respond transparently. Cisco had a data breach a few years back and they came right out and said, ‘Yes, we were breached.’ All they got was basic information – grandma’s chocolate chip recipe and that was it. Their stock price was back up two days later. Other high-profile companies that were breached several years ago still have not fully recovered. We’ve seen this repeatedly – brand reputation will come back quicker when you can properly manage the situation.”

But that was then, and this is now.

With the SEC mandate focused on materiality, cyber leaders and their peers in legal, compliance, investor relations and communications have to balance the forensic aspect of an incident – what happened and what is the impact on our business and on our customers, for example.

“It must really start with defining what is material,” says Carolyn Crandall, cybersecurity CMO and Forgepoint Capital advisor. “It means dramatically different things to different companies. Did your systems go down? Was customer data compromised? Is there a definite financial impact?”

Is a new crisis communications playbook required? “Absolutely, and it is literally being written in real-time,” said Crandall. “There is tremendous pressure on CEOs, CISOs and financial executives to be clear, concise and quick. They have to know what to say and to whom, and what they are even allowed to say. PR still needs to manage this process.”

For those of us in PR and crisis communication who have historically yearned for a seat at the table, this should be seen as a positive.

Peter Tran is CISO at InferSight, a member of several boards, and arguably one of the most experienced and media-savvy executives in cybersecurity today. Tran echoes Crandall’s sentiments. “There is already increased engagement among the C-suite, boards, in-house counsel, external counsel and cybersecurity insurance providers. Companies need to think about implementing programs that provide greater visibility into security incidents and they must decide what they have to disclose. The comms team has to help narrate and curate that and determine how to position these situations to the outside world. Many mature companies are now disclosing their incident response procedures. It is becoming table stakes in communications, both internally and externally.”

In light of NETSCOUT’s Briggs’ comments, we shouldn’t be thinking if we have an incident, but when. Most public companies will be required to report significant hacks to the SEC in an 8-K form starting Dec. 18 to be within the four business-day window.

Given the new pressures created in what is sure to be a rather fluid environment before, during and after that date, here are five recommendations to help organizations best prepare for crisis management scenarios involving cybersecurity incidents.

1. Fix the Leaky Roof on a Sunny Day: Whether you are a publicly held or private company, update your incident response/crisis communications plans with the SEC mandate in mind. As Tran notes, just because private companies are beholden to the new regulations, does not mean they are exempt from industry best practices around preparation and communication. Don’t take shortcuts!
2. Understand the Chain of Communication Command: Whom your company communicates to externally and internally in these situations and in what sequence often matters more than what is disclosed.
3. Preparation and Practice are Paramount:  No sports team or entertainer would dream of performing without practice and warm-up. Crisis communications should be conducted no differently. Tabletop exercises and crisis scenario drills should be run at least quarterly, and they are no longer the exclusive domain of the Incident Response Team. Make it mandatory for your communications team to participate. And as one CISO notes, don’t tell participants it’s a mock drill until it is half-over. Make it seem like the real deal and see how everyone involved responds. For a drill down on incident prep, check out this blog from cyber authority and Matter client, SANS Institute.
4. Cross Train: PR teams should receive basic training on cybersecurity and data breach response, while CISOs should gain insight into public relations and crisis communication. This cross-training fosters a better understanding of everyone’s roles and responsibilities during a breach. And speaking of training, your CISO better be media trained, as they are increasingly becoming the public face and voice of the company during cyber crisis situations.
5. Write the “We’ve Been Breached” Press Release Now: While it might only serve as the proverbial “tip of the crisis communication iceberg,” the press release is a critical public-facing document that must be bulletproof. Cyber expert and Crowdstrike’s co-founder Dmitri Alperovitch shared that valuable nugget during his 2022 RSA keynote, and it always resonated with me.

PR pro tip: The press release should be drafted by the communications team in consultation with legal, compliance, not the other way around. And less is always more. Clarity and conciseness matter.