CyberWire Daily - The SEC's Cybersecurity Law, a New Compliance Era with Jacqueline Wudyka. [Threat Vector]
Episode Date: March 20, 2024In honor of Women's History Month, please enjoy this episode of the Palo Alto Networks Unit 42's Threat Vector podcast featuring host David Moulton's discussion with Jacqueline Wudyka about the SEC's ...Cybersecurity Law. In this episode of Threat Vector, we dive deep into the new SEC cybersecurity regulations that reshape how public companies handle cyber risks. Legal expert and Unit 42 Consultant Jacqueline Wudyka brings a unique perspective on the challenges of defining 'materiality,' the enforcement hurdles, and the impact on the cybersecurity landscape. Whether you're a cybersecurity professional, legal expert, or just keen on understanding the latest in cyber law, this episode is packed with insights and strategies for navigating this new terrain. Tune in to stay ahead in the world of cybersecurity compliance! If you're interested to learn more about Unit 42's world-class visit https://www.paloaltonetworks.com/unit42 Join the conversation on our social media channels: Website: https://www.paloaltonetworks.com/unit42 Threat Research: https://unit42.paloaltonetworks.com/ Facebook: https://www.facebook.com/LifeatPaloAltoNetworks/ LinkedIn: https://www.linkedin.com/company/unit42/ YouTube: @PaloAltoNetworksUnit42 Twitter: https://twitter.com/PaloAltoNtwks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. insights from Unit 42, learn from Cortex customers, and see how Cortex is built to conquer today's
toughest security threats. Don't miss out on this chance to go from insight to transformation.
Level up your security game now. Register at start.paloaltonetworks.com slash symphony 2025.
The hardest bar to get into within the multi-state exam is Alaska.
They make their score higher than anybody else.
Do you know why that is?
I don't know.
The moose really needs some good lawyers out there.
No explanation.
Have you ever seen a moose up close and personal?
Not in real life, no.
Horse size, bigger, smaller?
Oh, much bigger than a horse.
Like a horse is a tiny, tiny little animal.
I had read a thing that one of the main predators
of a moose is an orca.
Moose can dive very deep into water
where orcas are swimming around and going like,
hmm, that looks delicious and we'll
eat a moose. And I thought you couldn't make it up if you tried. That is so bizarre.
Welcome to Uni42's Threat Factor, where we share unique threat intelligence insights,
new threat actor TTPs, and real worldworld case studies. Uniforty2 has a global team of threat intelligence experts, incident responders,
and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Uniforty2. Today we're digging into the new SEC cyber rules with Jacqueline Wadaika, consultant at Palo Alto Networks.
Jacqueline is a multilingual legal powerhouse with bar certification in 37 states.
As part of Unit 42's Cyber Risk Management team, she specializes in governance, risk, and compliance, with a particular emphasis on data privacy.
Today, I'm going to share the conversation Jacqueline and I had about the SEC's Cyber Risk Management Strategy, Governance, and Incident Disclosure rule that was adopted in December 2023.
But first, a disclaimer. The information provided on this podcast is not intended to constitute
legal advice. All information presented is for general information purposes only. The information
contained may not constitute the most up-to-date legal or interpretive
compliance guidance. Contact your own attorney to obtain advice with respect to any particular
legal matter. Now, let's get into our conversation. What was it about the intersection between cybersecurity and law that really excited you?
date back to the 1800s. And you're just like, why? And it's so hard to wrap your head around the boogie and the this and that. That's just so not relevant anymore. Then I took a cybersecurity
course. And the cases are all about Google and Facebook. And they're all occurring within the
last 10 years. And they're still occurring. And I think the beautiful part of that is that we're still figuring it out.
And having that relevant aspect of it
is just amazing.
And we get to witness it from its infancy.
So go back to law school
and think about some of those cases
that excited you.
Are there any that really stand out?
Sure.
I mean, there's so many.
And even with this, right,
this whole new SEC regulation,
we have, let me remember, First American Advantage, I believe is the name, and so many cases like that
where it gives us a starting point to try to understand where these new rules are getting to,
right? So when something's new, I always try to refer it back to something that exists.
Caremark is a huge case that we learn in business.
And I think that these new regulations
are aligning with that in so many different ways.
And so it's always cool.
Yes, I constantly have cases floating around in my head
that I tie back to.
So you mentioned the SEC,
and that's actually what we want to
talk about today. Can you give a brief overview of the aims of the new SEC regulations?
Absolutely. So I think to answer what the aim is, right, we have to look at what's the mission
of the SEC. What's their goal? Why do they do what they do? And that's to protect investors,
to create a fair market.
And in order to do that, they have to regulate the playing field. So that means having the same
information consistent and standardized from all registrants. But what's interesting about it is
that this isn't new. This isn't the first time they're trying to have that consistent flow of
information. I think their aim with these new regulations is making it clear,
making it prescriptive as to what companies need to report on. Yeah, I think that's their goal,
right? Having that consistent flow of information across all organizations, across all registrants
in order to have that consistency and accurate information. These new rules went into effect last year,
December 15th. What are the tangible impacts the SEC cybersecurity rules have had on public
companies? Absolutely. So taking a step back, we have two main requirements in this rule. We have
the reporting side and then we have the governance risk management side. So on the reporting side, and then we have the governance risk management side. So on the reporting side,
they're really requiring disclosure of material incidents within four days of that incident being
deemed material, right? So to align with this, companies have had to internally define materiality.
We've seen a lot of companies begin doing business impact analysis, really determining what is material for them.
And this has kind of been a pain point, right? Because it's just so specific and dependent on
the organization's build. We've also seen them creating a team or repurposing a team. A lot of
these publicly traded companies have a disclosure committee already. So they'll say, okay, we have our definition of materiality.
Now who's going to actually apply that definition? So they'll have this committee or this team that
will be in charge of determining and applying that definition. So for the reporting aspect of it,
those are two main things we've seen. And then on the other hand, we have this governance and risk management,
right? And the SEC has told us that they want to know that the board of directors and executives
are being informed of risk and how they're managing this risk. So we've seen a lot of
establishments of processes and procedures and most importantly, communication paths, having those escalations really set in
stone, and also creating documentation to support this. And another thing the SEC has noted is that
they want enough detail so that a reasonable investor can understand how this risk is being
managed and mitigated and governed. So if you already have these processes and procedures
documented somewhere, you're halfway there. It's an excellent starting point. So between the two,
between the reporting and the governance and risk management, we're seeing those proactive
assessments, that materiality being defined, the restructuring to make sure we have stakeholders
in place to make those timely determinations.
And we're seeing that executives and board of directors are starting to ask questions to make sure that they're informed on this topic because that's the biggest,
I think one of the biggest points in this role is
starting that conversation within those executives and the boards.
So I want to go back to something that you mentioned a moment ago.
If each company is defining what is material, then how does the SEC actually enforce anything?
That's a great question.
So they have given some parameters, right?
It's extremely specific to the organization, so it's going to be difficult for them to determine.
What they can do, though, is they can start asking questions.
And you don't want that to happen, right?
As an organization, why even open the door for them to doubt you on your determination that it wasn't material?
So having those processes and procedures in place are your armor against that saying, hey, no, we know this isn't material because we did X, Y, and Z.
And that gave us the conclusion that it's not material.
Jacqueline, how have these roles influenced the overall cybersecurity landscape in the business
world? It's hard to tell right now, right? Because it's just going to start being enforced. But
there's really two kinds of organizations. There's those that have their robust cyber program in place, and not much is going to change for them because they have so many resources and stakeholders dedicated to cybersecurity that it's going to be more of an, oh, this is so much more paperwork, right? And they're going to bring in their lawyers that they have on retainer and just one more thing to do.
just one more thing to do. But for those companies that haven't invested in their cybersecurity,
this is really going to encourage them to do so. It's, I think, good for the cyber landscape because it's not just a financial investment. It's really a time investment. As we mentioned
earlier, it's going to bring those cybersecurity conversations to the big boy table. It's making
it more top of mind and CISOs and CTOs are going to have to play
a big role here because they speak the language and they're going to have to make it open dialogue
at those big meetings. Are there new skills? Are there new jobs that are going to come out of this
is what I really want to know. That's interesting. I don't know if it's a new position necessarily, but I definitely think it's a new skill and training perhaps, because the security team now needs to understand these new requirements.
what needs to be escalated in a much deeper way. So before we had these determinations of,
okay, it's an event and now I think it's an incident, we're going to declare the incident, we're going to escalate it. I think that definition of their incident before even
getting to the materiality is going to have to be readjusted to account for these new rules.
So I think the security teams are really going to have to educate readjusted to account for these new rules. So I think the security teams are really
going to have to educate themselves or get trained on, however it may be, to understand this new
playground, right? Making sure that companies are protected is going to start with the security team.
How is artificial intelligence going to help security practitioners bridge the gap between what the SEC is looking for
and meet those time requirements? I think the biggest asset of AI is that it makes things go
faster, right? So now that we have this time requirement, things need to move quicker.
We have that materiality definition that gives us a little
more cushion there. I think the biggest role it'll play is with the technology aspect of it,
creating those alerts in a timely manner, organizing them perhaps in a way that's
more digestible for the security teams. What strategies or technologies should
orgs have in place to mitigate cybersecurity risk and reduce the
likelihood of having to report incidents to the SEC? So this is a big plug for me here because
I work on the proactive cybersecurity side of house and everything we do is exactly what
companies need to be doing. There's a wide array of assessments, whether it be business impact or whether it be tabletop exercises, CRAs, just to gain greater visibility into what you're working with.
So these assessments really have the ability of gaining greater visibility into where is my organization? What's its stance? What's its posture? Where are its gaps, right? That's really
where we help you identify that. And then once you identify the gaps, how do we fix them? And by
fixing them, you're proactively acting against a potential vulnerability that could spiral into
this material incident. So those assessments are extremely helpful. Another thing we recommend is revisiting
your tools. A lot of companies have the greatest, the latest, the coolest tools in the world.
But if they're not properly configured to the organization, then they're not doing you any good,
right? So we're like revisit those, make sure that they have visibility into the places where it
matters. And that way you have the ability of getting a quick alert
and being able to act on it
and hopefully remediate it before it becomes anything else.
And then another thing we always recommend is testing, testing, testing.
Your backups, your plans, your procedures.
I mentioned a tabletop exercise earlier.
We love these because it's a make-believe scenario. And each inject has a different accumulation, a different set of facts that the team then has to act upon. So it's a big pretend and it allows companies to test their procedures and test their response and see if they actually know what's on their incident response plan. It's one thing to have it documented, but it's a whole other thing to be able to just
vocalize it. So working on any of those proactive engagements is extremely helpful.
Thinking about those tabletop exercises, any surprising outcomes that you've seen as you've
worked with our clients? Oh, all the time.
Yeah, especially because they'll send us their IRP or incident response plan in advance.
We already have insight to what they should be doing.
And we'll say, wow, these people really have it together.
And then you get to the tabletop and nobody even knows that document exists.
And then there's the other side of the coin where they may not have something documented, but these people know their stuff and they are just on it.
So it's a perfect engagement and exercise to really test their knowledge on these procedures.
What else from a proactive side?
What are some of those strategies that you'd continue to recommend?
Training is a big one. As we mentioned earlier, that security team, we want to make sure that
they're trained on what these new rules require, right? That early escalation, lots of communication
moving upwards. So I think that that training and that understanding of why we're doing what we're doing is essential.
It's not just because we say so.
There's a bigger picture here.
On the other side of the coin is the training of the executives and the board of directors that haven't necessarily had to speak the cybersecurity language before.
This is relatively new.
This is relatively new. And I think having that foundational understanding of understanding the risk of cybersecurity, because that's really the main point here. That's something that they're going to have to gain that understanding of for sure.
Jacqueline, how can organizations identify when they need outside help complying with these new regulations? So one of the interesting parts of
this regulation is that it's actually requiring you to say, if you have an outsider, a third party
helping you with this cybersecurity, we don't know if it's a good or a bad or what it is,
but it's definitely interesting. So in making that partner determination, one of the biggest
things we always recommend is having it be a trusted advisor,
not coming in for the first time
when you need to make that materiality determination.
Because as we mentioned,
it's so tough to know
if you're not familiar with the organization.
So if you have somebody that knows your organization,
knows how you operate,
and is that trusted advisor throughout.
And then when you're in this situation is able to come in and help. That's amazing.
There's a saying in the legal realm that availability is the best ability. And I think
that applies here for sure. But I think to answer your question as far as outside help goes is, how well-staffed are you? If you have significant teams dedicated to cybersecurity,
you might be fine. But unfortunately, it tends to be a realm where we don't get the big bucks
all the time. So it definitely helps having a consultant come in and having that
trusted advisor whenever you need them. Do you think that the SEC leading with this regulation is going to impact how other countries
change their financial disclosure for material breach? So I think it depends where. I think it's a big maybe. And I say that because I think Europe has always been so much more demanding, not in a good or a bad way.
Just they've always asked for more and quicker and faster.
So I think that they may not be as influenced by these new regulations, whereas other places may take inspiration from
these new rules. But what is interesting is staying domestically, we're seeing these already
influence. I was reading the other day, private equity firms are now going to have something
aligned with these new SEC disclosures. So it's a big maybe all around, but definitely domestically.
Do you see different attorneys general at the state level pushing for something that's even
more aggressive? That's interesting. I think that now that this is going to become more of
a conversation and more top of mind, maybe, yeah, because they're going to start realizing the harm, whatever that
means to whoever it is, but that it's a real thing, right? I don't think cybersecurity has
been top of mind the way that it is now and the impact that it's having. I actually saw
Palo had posted that 96% of companies have experienced an incident in 2022. And it was a
couple trillion dollar market. So because of the impact it's having, I wouldn't be surprised if
states started to step up and have more rigorous requirements moving forward.
Jacqueline, looking ahead, do you anticipate any amendments or expansion to these rules based on the experience of the last six months?
Or have any predictions about how this is going to impact the landscape overall that you think are interesting to share?
Sure. So definitely guesswork here, right?
But I think we're going to have a better idea of what is
materiality in the sense of cybersecurity. Once we have more disclosures and once we see what the
SEC pushes back on and what they accept, I think it's going to give organizations a much clearer
picture of what the SEC is expecting. Another interesting point
is as far as the four days, I've heard, is this too late? And it's interesting because when an
organization has an incident, and especially if it's a material incident, they tend to make
public disclosures in a statement or on social media or however they tend to do it. And I think it's important that this disclosure
is aligned timing-wise with that statement. Because if the goal here is to protect investors,
then they should have access to that information in an extremely timely manner between that four
days after the materialityity and then also what is
material and gaining a better definition. I think we'll definitely have a better insight into that
in the next couple of months or years or who knows. If you're a listener, what's the most
important set of ideas that you want them to take away from this conversation?
set of ideas that you want them to take away from this conversation?
I think it's being proactive. Having that approach is going to be the best way of handling these new rules. Whether that be defining materiality,
establishing who's actually going to apply that definition when the time comes,
configuring your tools, and then as we mentioned earlier,
just testing backups, plans, procedures. It's that proactive approach where it's going to take you far.
As I reflect on our conversation, it's clear that the intersection of cybersecurity law is not just evolving, it's dynamically reshaping how organizations approach security and compliance.
The introduction of the SEC cybersecurity regulation isn't just a legal requirement.
It's a catalyst for a much needed shift towards a proactive security posture.
I heard a couple of key themes that
stood out from Jacqueline. First, the importance of understanding and defining materiality
within the context of cybersecurity incidents. Though challenging, this is crucial for compliance
and for safeguarding investor interests. Jacqueline's insight into the tangible impacts
of the SEC regulations, particularly on governance, risk management, and reporting, highlight the ongoing adjustments and enhancements companies are making
to align to these new standards. Second, I think that her point that preparedness,
whether through tabletop exercises, revisiting security tools, or simply ensuring that
cybersecurity conversations are happening at the highest levels of an organization
is incredibly important. These regulations are pushing companies to bolster their cybersecurity
infrastructure and to foster a culture of security awareness and responsiveness.
If you're interested to learn more about Unit 42's world-class consulting team,
I've included links in our show notes. And if this topic is important to you,
I've included links in our show notes.
And if this topic is important to you, you should check out our special webinar,
The Ransomware Landscape, Threats Driving the SEC Rule and Other Regulations.
Scott Becker from Actual Tech hosts Jacqueline and Uni42 consultants and experts Steve Dyson, David Ferron and Sam Kaplan.
I've included a link to the webinar as well. Next time on Threat Factor, I'll speak with
Sam Rubin, Vice President and Global Head of Operations at Uni42, to discuss his recent
congressional testimony on ransomware attacks. He talks about the evolving sophistication of
ransomware attacks, the importance on sectors like education and healthcare, the role of AI
in cybersecurity defense, public-private partnerships, and the importance on sectors like education and healthcare, the role of AI in cybersecurity defense,
public-private partnerships,
and the importance of preparing
the cyber workforce of the future.
It's a great conversation you don't want to miss.
Finally, I want to thank the ThreatVector team.
Our executive producer is Michael Heller.
Content and production by Shada Azimi,
Sheila Drozdowski, Tanya Wilkins, and Danny Milrad.
I edit the show and Elliot Peltzman is our audio engineer.
We'll be back in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.