CISO Sentinel

We synthesized the key takeaways from a recent Chatham House dinner with top CISOs. Here's the unvarnished truth about the SEC's new cybersecurity disclosure rules.

Last month, we gathered a dozen CISOs from across the financial services, healthcare, and technology sectors for a private dinner in New York. The topic of conversation was the SEC's new cybersecurity disclosure rules, which went into effect late last year. Under the Chatham House Rule, what was said in that room is not to be attributed to any individual or organization. But we can share the key takeaways. And they were eye-opening.

The Consensus: The rules are a good thing, in theory.

There was broad agreement in the room that the SEC's focus on cybersecurity is long overdue. The new rules, which require public companies to disclose material cybersecurity incidents within four business days and to provide regular updates on their cybersecurity risk management and governance, were seen as a necessary step to elevate cybersecurity to the board level.

"For years, we've been fighting for a seat at the table," one CISO said. "Now, we have one, whether we like it or not."

The Fear: The four-day clock is a nightmare.

The most contentious part of the new rules is the four-day disclosure requirement. Every CISO in the room said that four days is not enough time to fully understand the scope and impact of a major security incident. The fear is that companies will be forced to make premature, and potentially inaccurate, disclosures.

"The first 24 hours of an incident are chaos," said another CISO. "You're just trying to figure out what happened. To have to then turn around and write a public disclosure that will be scrutinized by investors, regulators, and the media is a recipe for disaster."

There was also a great deal of concern about the definition of "materiality." The SEC has been intentionally vague on what constitutes a "material" incident, leaving it up to individual companies to decide. This ambiguity is creating a lot of anxiety for CISOs and their legal teams.

"We're going to see a lot of companies over-disclose out of fear," one CISO predicted. "And we're going to see a lot of companies under-disclose and then get hammered by the SEC."

The Unintended Consequence: CISOs are now a target.

The new rules also require companies to disclose their board's cybersecurity expertise. This has led to a "gold rush" for board members with security experience. But it has also put a target on the backs of CISOs.

"I've had more calls from headhunters in the past six months than I have in the past six years," one CISO said. "They're all looking for a CISO to sit on their board. But I'm not sure I want the liability."

The fear is that by joining a board, a CISO could be held personally liable for a security breach. It's a risk that many are not willing to take.

The Bottom Line: The SEC's new rules are a game-changer for CISOs. They have elevated the importance of cybersecurity within the enterprise, but they have also created a whole new set of challenges and anxieties. The CISOs we spoke to are cautiously optimistic about the long-term impact of the rules, but they are bracing for a period of uncertainty and turmoil in the short term.

As one CISO put it, "The job just got a lot harder. And a lot more important."

CISOInternals

The Table Read: What CISOs Really Think About the SEC's New Rules

Related Coverage

Dear Counsel: Can We Use That Open Source Code?

The Coming Wave of Non-Human Identity Risk

Red Line Items: Are You Wasting Your Cloud Security Budget?

The Paper Cut: We Stress-Tested Gartner's Latest AI Security Report