When it comes to breach disclosures, today’s chief information security officers (CISOs) are struggling with an especially turbulent regulatory environment.

Security teams are understaffed, and systems are more extensive, making them harder to monitor and defend, while threats are becoming more sophisticated, more frequent, and more varied. It’s at precisely this difficult juncture that regulations and enforcement are rapidly changing, leaving CISOs feeling like they are running up the down escalator.

Expectations and rules around cybersecurity, data privacy, and breach prevention and reporting are in extreme flux, and nobody is quite able to predict what the landscape will look like a year from now. While this aspect of the case seems to have resolved itself in recent weeks, the SEC’s October 2023 decision to personally charge Solarwinds CISO Timothy G. Brown with fraud and internal control failures in connection with its enormous 2020 data breach, has shaken up all the norms regarding cybersecurity and liability.

Clearly, the SEC is still adapting requirements in the wake of the Solarwinds debacle. New recommendations and obligations are appearing on a rapid basis, sometimes appearing to have been created on the fly. It’s anyone’s guess what else will arrive over the next few months. Amidst all this confusion, CISOs still need to protect their organizations and themselves as best they can.

Breach Reporting Is Unsettled and Unclear

The Solarwinds case has thrown the spotlight onto breach reporting, but this aspect of the CISO’s job is hardly set in stone. On one hand, the powers that be want breaches reported much faster. In July 2023, the SEC announced new requirements for organizations to report “material cybersecurity incidents” within four business days. The EU NIS 2 directive, which becomes law in October 2024, demands early warning notification about any significant incident within 24 hours, followed by a full notification report within 72 hours.

The combined effect is that compliant CISOs need to notify both their organizational leadership and the SEC immediately that they become aware of any possible breach. But regulatory bodies also require all reports to be accurate and relevant.

Given the new rules, together with the lack of any clear definition of “material,” some organizations chose to err on the side of caution. They used the SEC’s breach reporting framework Item 1.05 of Form 8-K to disclose incidents that were not yet confirmed as “material,” but this was rebuffed by Erik Gerding, the SEC’s Director of Corporation Finance.

In May 2024, Gerding issued a statement regarding a public company’s disclosure obligations in response to cybersecurity incidents. He requested that companies do not use Item 1.05, but instead use Item 8.01, which is intended for optional disclosure.

While this statement was intended to clarify a murky situation, it only resulted in more confusion. As legal counsel Jennifer Lee puts it, “Given the uncertainties in cybersecurity disclosure, Mr. Gerding’s statements that public companies should distinguish material from immaterial cybersecurity incidents in their disclosures, as well as walk the fine line of discussing an incident with third parties, may be difficult to apply in practice.”

CISOs May – or May Not – Be Held Personally Liable

The SEC lawsuit against Solarwinds’ CISO reveals a new instinct to hold the CISO and other business leadership personally accountable for breaches, their failures to prevent breaches, and the ways in which breaches are handled. The upcoming NIS2 directive, which will be fully implemented in October 2024, likewise holds the leadership personally accountable for an organization’s cybersecurity failings.

But recent developments could point in a different direction. A US District Court judge has thrown out much of the SEC’s claims against Solarwinds, ruling that they cannot be held liable for statements and filings made after the breach. But it has left open the option for the SEC to prosecute them for misrepresenting the organization’s cybersecurity posture before the attack.

This leaves much uncertainty about liability for cybersecurity failures. There’s a lot riding on getting this right, including serious penalties and terrible negative publicity for the company, and potentially unemployment and unemployability for CISOs and other CxOs.

The only option at the moment is to operate with maximum transparency, even as incidents are unfolding, advises Yahav Peri, CTO and co-founder of Cypago, reflecting on the aftermath of July’s CrowdStrike outage. “Effective communication within the organization and with stakeholders is vital,” he says. “CrowdStrike’s response highlights the need for transparency in addressing issues and keeping affected parties informed. Cyber GRC programs should include communication strategies to manage stakeholder expectations and maintain trust.”

There Is Such Thing as Too Much Information

While transparency certainly has its merits, it’s also important to remember that any public statement about security protections could reveal exploitable details about your cybersecurity posture. On the other hand, if a company shares more information with one group than with another group, it could be accused of inconsistency regarding security disclosures. With this in mind, it makes sense that the flow of information towards affected parties is a maturing area of data breach legislation.

“As organizations become more aware of the potential consequences of non-disclosure, we may see further attempts to weaponize the disclosure process,” warns John Morello, CTO of Gutsy. “Ransomware groups and other malicious actors may exploit the fear of regulatory action to extort payments or disrupt business operations.”

Any early reports about the extent or nature of a data breach could also handicap remediation measures. If other parties respond with their own disclosure reports, it could give malicious actors more leverage to exploit the original victim.

“Organizations may struggle to comply with the mandated disclosure timeline while still fully understanding the scope and implications of the cyber incident,” says Morello. “This could lead to incomplete or inaccurate disclosures, potentially exacerbating the situation and increasing the risk of further exploitation.”

CISOs Need Focus to Keep Their Balance

With standards remaining volatile for the foreseeable future, the only way for CISOs to walk this fine line is for them to adopt a position of maximum honesty and transparency within the organization, working with legal counsel to determine the best cadence and mechanisms for external-facing disclosure.

Contending with changing standards in terms of breach reporting and executive culpability is a new challenge. As time passes and expectations become solidified, CISOs will hopefully regain their equilibrium.