Cyber Incident Reporting: From Guidance to Enforcement

Deepa Seshadri
Author: Deepa Seshadri, CISA, CISM
Date Published: 12 July 2022

Imagine a day when the stock markets suddenly begin to crash, contrary to market movements, and your equity holding nosedives from a healthy green to an alarm bells-blaring red. We’ve seen such days occur in view of geopolitical events, but this one would be different.

This crash wasn’t a result of any geopolitical events. When an investigation is launched, it is found out that a cybersecurity breach at one of the largest investment funds resulted in selling of equity across the board. The hackers manipulated the algorithms and disabled the security measures to stop trading. What makes it even more worrisome is that the exchange was breached, too, and the market circuits were disabled.

The US Securities & Exchange Commission (SEC) came out with reporting guidance around such breaches in 2011 and 2018; but in March 2022, the SEC went a step ahead and introduced a proposed rule applicable to registered investment advisors and funds about reporting such incidents in their SEC filings. It’s a step from guidance to enforcement, and it will have major repercussions for firms who are not yet geared to protect their assets from a cyberattack. Interestingly, the Securities and Exchange Board of India (SEBI) had also come up with a cybersecurity framework applicable to fund managers and depository participants in 2018, and it’s only a matter of time before the SEBI requires these firms to report cybersecurity incidents.

This brings a few pertinent aspects into view:

Cybersecurity Resilience & Incident Response
Until now, firms were able to disclose such incidents voluntarily, and they could choose not to disclose them. With the new rules, they must form a process for identifying a breach and for responding to such incidents. This must all be documented and filed with the SEC. It also brings a focus on cyber resilience—how prone or how resilient is the organization’s information technology infrastructure in face of such cybersecurity incidents? Ramping up the existing checks is a definite first step for organizations to build cybersecurity resilience not only across one business function but across the organization. Organizations need to understand that everything is inter-related.

Cyber Strategy and Governance
Enforcing a cyber strategy coupled with a governance framework will mean that the organizations know how to navigate the path of cyber resilience, and it will help them with compliance based on SEC requirements. Standard Operating Procedures (SOPs) must be formulated and validated through simulations to ensure that the organization is placed well to face any cybersecurity challenges.

Incident Reporting
A cybersecurity incident has the potential to severely impede an organization’s ability to respond to the threat immediately. The scenario becomes even more grim when the breached organization doesn’t have any process to understand such an incident. Reporting an incident requires the personnel responsible for the report to first understand what has happened. If the extent of a breach is underreported, many more systems and products can be impacted because the incident’s extent was not understood and reported properly. This can be more harmful than the initial breach itself because now you have rogue code running throughout your network.

Cyber Professionals on the Board
The buck stops with the board, and if the board does not have cyber professionals on it, they might just grill the Chief Technology Officer (CTO), who may not even know the complexities of the specific cyberattack. We’ve seen wars being fought in cyberspace, and even before the troops move in, the virtual troops have already started wreaking havoc. As the SEC now mandates reporting cyber incidents, it is imperative that a cyber professional is on the boards of organizations to ensure that the proper response is sent to queries from regulators, shareholders and the media.