Apr. 20, 2022
The proposed rule for CyberSecurity Risk Management, Strategy, Governance, and Incident Disclosure is a fair attempt to increase cyber security but lacks prescriptive guidance to actually improve cyber security. On page 11 of the PDF you mention that investors have been seeking registrants cybersecurity risk management, strategy, and governance practices. Yet the actions requested on page 12 (provide updates on incidents, policies/procedures, board's oversight) are too high level to actually inform investors of the real vulnerabilities that companies possess. Willis Towers Watson Study analyzed 1150+ cyber claims to insurance companies and identified the average claim settlement to be 4.88 million dollars. This is a financially significant loss that most companies would have to declare in their financial statements. When they analyzed the root causes they found were: 1) 29% of Data Breaches are caused by Human Error (example humans falling for Phishing Attacks) 2) 24% of Data Breaches are caused by Security Breach at vendor or third party (Outsourced Contractor loses company data) 3) 10% of Data Breaches are caused by IT Security measures (Example Vulnerable Internet Facing Server) If we were to look at 10-K reporting required by the SEC, we can see that companies do not report on how vulnerable they are to phishing, 3rd party risks, or IT Security measures in a way that allows investors to actually make investment decisions. Companies only list Risk Factors that are so vague that investors cannot make investment decisions on how vulnerable a company truly is. Example of what SEC risk reporting in a sample 10-K (https://www.sec.gov/Archives/edgar/data/320193/000119312513416534/d590790d10k.htm) ************************ There may be breaches of the Company’s information technology systems that materially damage business partner and customer relationships, curtail or otherwise adversely impact access to online stores and services, or subject the Company to significant reputational, financial, legal, and operational consequences. The Company’s business requires it to use and store customer, employee, and business partner personally identifiable information (“PII”). This may include, among other information, names, addresses, phone numbers, email addresses, contact preferences, tax identification numbers, and payment account information. Although malicious attacks to gain access to PII affect many companies across various industries, the Company is at a relatively greater risk of being targeted because of its high profile and the amount of PII it manages. The Company requires user names and passwords in order to access its information technology systems. The Company also uses encryption and authentication technologies to secure the transmission and storage of data and prevent access to Company data or accounts. As with all companies, these security measures are subject to third-party security breaches, employee error, malfeasance, faulty password management, or other irregularities. For example, third parties may attempt to fraudulently induce employees or customers into disclosing user names, passwords or other sensitive information, which may in turn be used to access the Company’s information technology systems. To help protect customers and the Company, the Company monitors accounts and systems for unusual activity and may freeze accounts under suspicious circumstances, which may result in the delay or loss of customer orders. The Company devotes significant resources to network security, data encryption, and other security measures to protect its systems and data, but these security measures cannot provide absolute security. To the extent the Company was to experience a breach of its systems and was unable to protect sensitive data, such a breach could materially damage business partner and customer relationships, and curtail or otherwise adversely impact access to online stores and services. Moreover, if a computer security breach affects the Company’s systems or results in the unauthorized release of PII, the Company’s reputation and brand could be materially damaged, use of the Company’s products and services could decrease, and the Company could be exposed to a risk of loss or litigation and possible liability. ***************************** If we compare this standard to what is done in the liability section of a financial statement where investors can identify debt, accounts payable, and other liabilities we can see much more transparency. This comment to S7-09022 therefore recommends the SEC amend the 10-K reporting to require disclosure of cyber metrics which are leading indicators of future data breaches: Examples of metrics could include but are not limited to the following examples: During the Q4 Phishing Exercise conducted by your company what % of employees clicked the phishing link/attachment. What % of your employees reported the phishing attack to your cyber incident response team What is your patching standard to patch critical vulnerabilities (CVSS score >9) and high vulnerabilities (CVSS score 7-9)? Is it 15 days, 30 days, 90 days, 180 days, ...? How many internet facing servers do you have that currently have a high/critical vulnerability that is outside of your patching policy? What % of your total population of internet facing servers is it? What is your average Mean Time To Remediate Internet Facing servers How many third parties did your company send PII data to over the last year? Of these companies, how many have a Non-Disclosure Agreement Of these companies, how many provided your company with a SOC2 Type 2 Report or ISO 27001 certification to show their company was reviewed to safeguard and apply sound cyber practices? Of these companies, how many provided your company with a recent penetration test (< 1 year old) to show you services hosting your PII data would be protected What % of Financially Significant Applications have daily backups that are read only (ie developers do not have the ability to change or modify and thus can survive a ransomware attack)? What % of endpoints in your organization are running an up to date AntiVirus agent (signatures that are < 30 days old.) What % of employees are required to use MFA to log into corporate email? What % of Internet facing RDP/SSH servers require MFA? Similar to SOX reform after Enron, The disclosure of leading indicators of future data losses brings transparency to an industry. Thus if an investor believes one company is more likely to suffer a breach they could invest in a competitor. However, at this point in time investors are unable to make financially relevant decisions into how well a company can protect itself from phishing, 3rd party data loss, or website attacks. Till this transparency is required by the SEC, companies will hide how vulnerable their organization remains to cyber attacks and data breaches. Please let me know if you would like to discuss any of the above recommendations. Thank you, Ross Young