How Firms Can Disclose Cyber Incidents While Staying SecureVenable's Grant Schneider on Why Incident Disclosure Should Look at Business Impact
Public companies disclosing a security incident under the new U.S. reporting requirements should focus on the business impact and stay away from the technical pieces, said Venable's Grant Schneider.
The disclosure should examine how the security incident will affect revenue, profitability and public perception. It should avoid discussion of how the incident took place and whether or not it's still ongoing, he said. New rules adopted by the Securities and Exchange Commission will force publicly traded firms to disclose most "material cybersecurity incidents" within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).
"The one concern I would have is the issue may not have been mitigated," Schneider said. "It could be an ongoing incident that an organization is still trying to respond to, recover from and mitigate. When you come out and say, 'I'm injured,' you become a bit of a target. There is a real concern about potential security for these organizations."
In this video interview with Information Security Media Group, Schneider also discussed:
- How organizations will determine whether or not a security incident is material;
- How often companies will be able to delay disclosure for national security reasons;
- Potential repercussions for companies found to have violated the new SEC rules.
Prior to Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. He previously served for seven years as chief information officer for the Defense Intelligence Agency.