Cybersecurity in Banking & Beyond

SEC’s Rule 106 Creates Confusion Instead of Standards

November 7, 2023 By Stel Valavanis

SEC’s Rule 106 Creates Confusion Instead of Standards
-Stel Valavanis

One of the main purposes of the SEC is to ensure that the investing public receives all the information they can and should have to make informed investments. As technology and business practices evolve, so too must the SEC and their latest attempt to adapt to changing times has led to new SEC rules involving cybersecurity and cyber operations. New SEC regulations that went into effect on September 6th (with compliance reporting to begin 90 days later, this December), garnered much attention and comment while they were under consideration and revision, and have continued to be examined since. The SEC, in responding to comments made during the consideration process for amendments to the rules, did listen to the critics of the new rules, citing their concerns that overly prescriptive laws would dictate cyber security operation, and removed many aspects of the proposed law that touched on requirements. However, by specifying aspects of the operation, the “processes” and the degree to which those processes influence other board-level decisions, the SEC merely creates a hazy set of standards by which companies will attempt to comply and will use as a template by which to make their cyber security operation “public facing”.

Much of the attention around this new set of SEC rules has focused on the breach disclosure rules, but another new regulation that will affect all SEC registrants is being mostly ignored by media and thought leaders. New Regulation S-K item 106 will require registrant organizations to “describe their processes” for assessing, identifying, and managing cyber risk. By asking for descriptions of “processes” rather than policies and procedures, the SEC is attempting to walk the line between requiring enough information to satisfy the investing public, but not so much that it can aid threat actors. Organizations will need to account for the public nature of the information divulged in their cybersecurity and public relations strategy, and this new reporting requirement will have a direct effect on cyber operations.

The SEC can avoid being prescriptive in their reporting requirements, but any requirement to report can and will have the effect of setting a standard. If a question is asked on a form, there will be answers that are favorable, or at least acceptable, to the public, even if only answered in the affirmative (or negative). Cyber operations will be tailored to make sure that the reporting to the SEC gives a favorable impression to the investing public. Security operations will be driven by the optics of what their operation is reporting and this will create a competition of security theater, rather than security. While changes to cybersecurity regulation can help raise the level of maturity across the industry and encourage best practices, they can also leave gaps and create new problems outside of cybersecurity operations.
Another aspect of the rule will now require registrants to disclose the role their board takes in making cybersecurity decisions and management. Boards will be expected to be taking an active role in this part of their organization and the reporting will show their involvement (or lack thereof). To meet this new expectation, organizations will want to show that their board is aware of and managing cyber risk and must establish a process by which the board is informed. This can take the form of briefs from the cybersecurity team or updates from the CISO, or something else, as it is not prescribed, but will be reported.

While this changing situation may cause confusion for the near future, working through the complications of regulating cybersecurity will ultimately make us all more secure. The hazy set of standards that will be created, and then tested against practice and public opinion, will likely lead to clearer rules and regulations in the future, as the trials and errors that occur will enrich the conversation had between public and private entities on the changing role of cybersecurity in business.

Biden’s Cybersecurity Announcement – Some Subtle Points are Being Lost

April 25, 2023 By Josh Eklow

Biden’s Cybersecurity Announcement –
Some Subtle Points Are Being Lost
– Stel Valavanis

The Biden Administration recently announced a new, five-pillared cybersecurity strategy that outlines not only new Federal initiatives to strengthen the defense of public infrastructure and increase federal cybersecurity capability, but also details changes that will greatly impact the private sector, cybersecurity leaders, and practitioners of today and tomorrow. It is important to remember that this announcement is a policy document, not an executive order, so while it does signal that changes are coming, it will remain difficult to prepare for specific parts of this shift until further information is released. In the meantime, business leaders and cybersecurity organizations can at least start incorporating some of the bigger and more obvious takeaways into their cybersecurity strategy.

The following are some things to consider as we make decisions today and things that I believe will become very important to business, security, politics, and beyond.

Shifting Responsibility for Infrastructure Protection

As part of the effort to “shape market forces to drive security and resilience,” the Biden administration plans to shift the liability for protecting cyber infrastructure from the clients doing business online to the cyber defense practitioners that serve those clients. A subtle point is lost to many here. This shift will actually have to be made manifest through a series of new pieces of legislation, which may face serious opposition, but businesses should still plan to comply with new minimum security standards. Enforcement of such standards may come through industry or non-government entities, such as insurance companies that will likely use these standards to qualify for coverage. Technology providers such as SaaS and hosting will be expected to adhere to standards and accept more responsibility.

Federal Cyber Insurance Backstop

This announcement makes it clear that the Administration understands the level of potential calamity that a large-scale cyber attack could mean for our government and businesses. The plan to “Invest in a Resilient Future” includes the creation of a Federal Cyber Insurance Backstop. The acknowledgment and preparation for the potentiality of a catastrophic cyberattack is a development in itself, but the fact that such an event is being planned for will have several effects on cybersecurity insurance and the businesses they cover. This backstop will be in place in case a cyberattack has wide enough effect that there are overwhelming cyber insurance claims. Law enforcement and insurers have, to date, treated cybersecurity attacks as individualized harm. However, it is important to understand that the potential impact of a cyberattack can reach the same scale of disruption as weather events, industrial spills, energy production accidents, and terrorist attacks, events that the federal government typically responds to collectively. The Biden administration is signaling that they see cyberattacks as a threat at a collective level and will be prepared to respond with federal assistance and oversight.

Actively Disrupting Attackers

By making this announcement, the Biden administration is sending a clear warning to cyber attackers that it’s no longer business as usual. Attackers often receive support and safe harbor in their home countries in exchange for targeting the US. Our companies are the most valuable and easiest to attack, with a lower risk of retribution. Our past policies and habits of not hacking back, lax law enforcement and little follow-up, allowing companies to pay ransoms, and lack of controls on personal data all contribute to our current vulnerability. The administration is announcing that our networks will be harder to attack, that we will use the whole-of-government to disrupt and prevent cyberattacks, and that we will no longer acquiesce to ransom demands. The businesses of the United States will no longer be an easy target.

Be Prepared

The cybersecurity community and businesses will have to wait to see the specifics of any actions taken or orders given in relation to the new cybersecurity plan, but it’s possible to start preparing now. There are steps that businesses can take immediately to be ready for upcoming changes. Take inventory of and have a clear understanding of your organization’s use of cloud-based infrastructure and data vendors. Make a plan to comply with minimum security requirements. Be aware of your company’s cyber insurance policy and potential law enforcement resources in case of attack. Lastly, getting involved in cybersecurity organizations in your industry will help you stay ahead of any future developments.

onSecurity – Compliance and Security

June 23, 2022 By Josh Eklow

Episode 1: Compliance and Security

onShore Security CTO Steven Kent joins Stel to discuss the intersection of compliance and security. As the author of an oft-cited saying at onShore, “security is a process, not a product”, Steven Kent is the reason that onShore has been able to satisfy the complex needs of clients in the banking industry.

Stop Ransomware & Other Attacks – Cybersecurity Roundtable

April 5, 2022 By Josh Eklow

onShore Security CEO Stel Valavanis recently joined a cybersecurity roundtable, organized by LeeShanok Network Solutions, to discuss cybersecurity strategies for businesses. Specifically, the group shared ideas about what to do to secure your company from ransomware attacks and what’s next in cybersecurity.

Digital Warfare in Ukraine and Abroad

March 3, 2022 By Josh Eklow

onShore Security CEO Stel Valavanis joined WTTW’s Chicago Tonight on the evening of March 2nd, 2022 to discuss reported cyberattacks in Ukraine, domestic cybersecurity, and the future implications and growing concern of cyberwarfare.