When it comes to the new SEC ‘materiality’ rules, assume that OT and IoT breaches qualify

Business leaders have been reluctant to openly discuss the cybersecurity risks and failures of their organizations, but many no longer have a choice. New Security and Exchange Commission (SEC) rules, which took effect Dec. 18, now require public companies to disclose their cybersecurity risk-management strategies and to report any material incidents within four days.

The new rules have major implications for organizations that manage operational technology (OT) — the data-dependent systems and sensors that control manufacturing lines, electric grids, oil refineries, and other critical physical infrastructure — and the closely related Internet of Things (IoT).

In my experience, few of these companies are ready for the SEC disclosure requirements, because they lack the ability to quickly identify a system breach or gauge its impact. That may sound surprising since many companies have taken pains to strengthen the cybersecurity of their information technologies — computer systems, databases, and data centers. But their OT and IoT systems, which are every bit as vulnerable to cyberattacks, are not as well protected, the result of years of inattention.

That’s a glaring vulnerability because the threats to such systems are growing in number and sophistication. Our recent research revealed that malware-related security threats to OT and IoT networks spiked 10-fold over six months. That’s a concern for senior management and for investors and the millions of people who depend on those systems every day.

Public companies that manage OT and IoT must respond quickly if and when those systems are compromised in a cyberattack. While it’s partly the responsibility of the chief information security officer (CISO), others in fiduciary roles — including chief financial officers, board directors, and legal counsel — must also pay close attention.

The new SEC rules require organizations to disclose cybersecurity incidents within four days of determining they are material — something investors should know about. On a case-by-case basis, the FBI may allow a delay in public disclosure if it determines there’s a significant threat to public safety or national security.

Either way, companies have to move fast. That’s challenging under the best of circumstances, but even more so given the general lack of preparedness of OT monitoring capabilities across many industries. Manufacturing, energy, and water-wastewater are the most vulnerable industries, based on our research.

Long-term implications

The SEC disclosure rules are similar in objective — and potentially in impact — to the Sarbanes-Oxley Act (SOX) of 20 years ago. SOX forced banks to become more transparent and placed responsibility on senior executives. With the new rules, the SEC mandate intends to give investors greater visibility into the cybersecurity strategies, risk management and governance of publicly traded companies in the U.S. Think of it as “CyberSOX.”

In a sign of just how seriously the SEC takes all this, the agency recently filed suit against SolarWinds, which develops observability software for computer systems.

The SolarWinds legal action predated the start of the new SEC rules by a few weeks, so they’re not directly related. But no doubt it’s a shot across the bow to businesses that don’t address known cyber vulnerabilities post-haste.

No easy fixes

What should business leaders do if and when their systems get hit by ransomware, denial of service or some other malicious attack? Start by containing the damage. Then, in accordance with the SEC, they must determine whether the incident is material.

A good rule of thumb: If it’s OT, it’s probably material because when manufacturing lines, airports or other infrastructure go offline, commerce often gets disrupted. Worst-case scenarios may have implications for public safety or the environment.

There are few fast and easy fixes, but businesses can lessen their exposure. The fundamentals of enterprise security can help: monitoring, threat detection, scanning, and patching software.

Beyond the basics, CFOs must ensure that they are aware of all of the run-the-business assets that, if crippled in a cyberattack, could have material impact. That might include the substations on a power grid or the control systems of a heavy-equipment manufacturing plant.   

Governance has always been important to well-implemented cyber strategies, and that’s certainly true under the watchful eye of federal regulators. Company policies should spell out roles and responsibilities, escalation processes, and authorization and access safeguards. Enterprises also need a well-tested incident response plan, to ensure they can identify material impacts and —just as crucially — quickly resume full operations.

In keeping with the SEC policy, businesses must now describe their cyber risk management strategies and governance processes in their annual 10-K filings. It’s safe to assume that finance and legal teams are already collaborating on that. But a note of caution: Don’t make the mistake of thinking that IT cybersecurity is enough. Double check that the company’s readiness also extends to essential OT and IoT systems.

The traditionally separate worlds of computer and infrastructure cybersecurity are coming together, which will eventually reduce the blind spots that exist today. But business, finance and tech teams can’t wait — they must align now. Under the new SEC disclosure rules, the four-day countdown clock begins ticking the moment it’s clear that material damage has been done.

Edgard Capdevielle, president and CEO, Nozomi Networks