Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today’s briefing is about the transparency trap. Historically, when a bank got breached, the playbook was to quietly contain it and issue a PR statement months later. Today, under the SEC’s item 1.05 mandate, you have exactly 96 hours to disclose a material breach to the world. But the Bank Policy Institute is openly rebelling against this. They argue that forcing a bank to publicly announce a breach
while the network is still burning acts as a dinner bell for other cyber criminals. So, CISO, from an operator’s perspective, what does that 96 hour window actually look like when the shields are down?
The CISO (00:36)
I’m going to take a less popular approach to this question. Because, know, as a, so what happens is, you know, your security team informs the board, right, in terms of leadership. And then now you go, you know, and you disclose, right? Well, it’s because the team, and I’ve seen this many times, I’ve
I’ve ⁓ done all kinds of exercises with incident command folks. And most of them do the same thing, which is as soon as they find something, they start notifying leadership. The problem is that they don’t understand what the regulation says, what the legal requirements are.
What you want to do is you want to do this. You want to make sure that whoever your security, your cyber leader is, that they understand what the regulation and what the requirements are. It says that you must notify upon material breach. That word material is extremely important. So what you want to do is you want to take that, you want to take the time. mean, first of all,
As soon as you find something, unless you’re hunting, unless you are leaving it open to obtain more evidence, to take whoever it is to court to get the maximum penalty possible, unless you’re doing that, close your hole. Close that vulnerability. Stop it.
And then start doing your forensics, right? Like, don’t keep it open. Don’t notify your leadership and it’s still open. Most, I would say that a lot of, know, most, if you do that notification, most threat actors are just gonna try it. They’re just gonna try it because they don’t know how mature your organization is, right?
So, you know, so I do understand why banks are like, you know, we don’t want to have to disclose this, right? Because they feel like from a leadership, hey, our defenses are currently compromised and our IT team is distracted, right? Because they’re busy doing the work. You just need to understand and agree internally. When is material? When have you really identified a material?
⁓ event. So that’s where kind of the, the sec, you know, demanding precise legally binding public disclosure disclosure. And when the technical team, you know, actually has the information. Like, you know, when does, when do you really disclose, you know, you need to follow the law, but you also need to understand what’s that, what the laws.
actually is requiring.
Actual (03:16)
So when we were talking about this topic, you had brought up some examples that have happened before. And so could you kind of touch on, those of how other companies in a situation, for example, you brought up CrowdStrike. So could you touch on like the way they did it and maybe the way another company has approached this kind of situation?
The CISO (03:37)
As I mentioned, I mean, I’ve seen them do a lot of different timing in their notification. CrowdStrike was a, it was, they did the right thing, right? ⁓ And CrowdStrike is a security company. they identified,
They identified, they investigated, and once they knew there was a material impact, they then did their notification. Where it was kind of challenging for them was then they were taken to court based on e-discovery. That’s their public filing, because in their public filing, they said that they had their state-of-the-art security.
in place. I don’t know if you remember that when we talked about it, but really it was their public disclosure because I mean their public filing because you know, but who’s gonna who’s gonna file a document to SEC when they want to go public that says our security is average? Nobody’s gonna say that. And then state of the art. mean that
That is open to interpretation. If they have all the latest security tools in place and it’s configured, is that state of the art? It’s unfortunate, but it’s really, the saying is, it’s not if it will happen, it’s when. And you just have to be prepared for when. But it’s hard because security teams aren’t legal. They’re not attorneys. They’re not lawyers.
So they’re not looking at the public filing that happens between attorneys and lawyers who are filling out the forms and then submitting them. They may quickly review the security statement and just say, yes, we agree with it or no, we don’t. But the security statement is, again, we have state of the art security, some kind of statement like that.
And from the security team’s perspective, that is true, especially if they are trying to secure their perimeter and putting in security controls. Where it was kind of challenging was that during e-discovery, they found internal communication that said there were vulnerabilities, there were controls that weren’t operating as effectively as they should have.
People knew about that. What saved them was that those things had been presented to the board, but every business makes decisions, financial decisions. They were aware of them. They were working on them. They just had not been fixed. So when you talk about due diligence, they did do their
due diligence, they tried, right? And sometimes again, when a security leader goes to the board and talks about security requests for funding, for additional resources, the board, the senior leadership has to make a decision. Do I give this money to security or do I spend this money?
on things that are revenue generating. And we talked about that before. So this is where it can be really challenging. As a security person, unfortunately, you have to really read and understand all of your regulatory and legal obligations.
You just need to understand it so you can work with your internal legal folks to ensure that you can support any statement. So if you say, hey, we have state of the art security, what does that mean? What is your definition? And make sure that’s documented. Why did you put that in your public filing?
Actual (07:04)
Yeah, and that makes sense. so kind of going back to where we started, we’re maybe seeing a shift in some of these attacks where
They’re getting more sophisticated. And one of the things that they’re doing is paying attention to federal regulations and kind of taking advantage of that. And so how are threat actors actually weaponizing this 96 hour SEC rule against financial institutions?
The CISO (07:30)
I mean, so they use something called the whistleblower tactic, So like groups like Black Hat, some other ransomware groups that are infamous, they pioneered this, which is they monitor a company’s SEC filing. So let’s say they’ve breached a company, right? They know they have, right?
And they watched the company to, you know, there because SEC filings are public. so if the company doesn’t like they breached it on day one, they wait for those that four day window. If the company does not file with the SEC and it’s made public that the hackers will go to the SEC website and file a whistleblower complaint.
for securities fraud, right? So they can then leverage that, right? And so they’ll say, they’ll do that. And so now the company is fined, right? But before they do that, they will answer with the company and say, hey,
We reached you on this day. You haven’t. We noticed that you didn’t file with the SEC. And they’ll calculate it. ⁓ Pay us this amount of money because it’s less than if we were to inform the SEC. And then you’re going to get fined even more by the federal government. And it’s going to be even worse because when SEC does their investigation and fines you, it’s all public.
Actual (09:00)
That makes sense. And kind of on a note that you touched on before, which brought us more into the boardroom of the business side. So we’re talking about, you know, getting fined, let’s say out of a, you’ll pay it out of a cyber insurance policy. But corporate governance attorneys are sounding the alarm on the care mark standard. So how does a technical failure suddenly become a
liability for a board director or is it?
The CISO (09:25)
So it’s more and more like we’ve seen it, we’ve seen it where individuals are named in lawsuits. So the board now, before it used to be just, they would go after the company, but now we see individual names on the filings, on the court cases, the lawsuit filings.
And so board directors are personally liable now if they fail to implement a cybersecurity reporting systems or consciously fail to monitor it. If the board does not talk about security, if they don’t want the security leader to come and talk to them, those are very basic things that a board should know and that they’re required actually to do these days. Before, the board talked about financial.
financial things, but now the board has to talk about, you know, cybersecurity in their meetings. So the SEC is looking for the gap, right? They’re looking for the gap between the board and the IT or cybersecurity team to see if the board is doing their, you know, doing their due diligence as a board, because how can you make decisions when you don’t understand your security posture?
Some of the things that they’ll look for is, there alignment between the security and the board? Because is security doing things on their own and there are vulnerabilities or things on the risk register and the board’s not aware of them? Because again, the board’s directive is to
⁓ make decisions of all decisions for the company. And if they don’t know what’s going on, like that, who’s accountable for that? The board is. So the board needs to make sure that they are, that in their meetings, they are talking about cyber security.
Actual (11:15)
Yeah, you know, that’s a good point. I wonder if maybe you can segment out or maybe we can sort of segment out the sophistication of some organizations boards, right? Cause you’re going to have those who are, know what they’re doing. And they’ve got all this legal counsel. They’re like up to date on all of these specifics and requirements. And maybe you have some younger companies or just smaller ones that aren’t as, as have as much resources. And so
Is this something that you maybe have thought about or seen where they, this isn’t talked about? Is that like maybe a vulnerability spot in, your estimation of, Hey, maybe like, like sometimes we don’t target, the, the P the people we know, for example, I’m walking down the street and I’m going to break into a house. Like the one with all the security systems and the security perimeter and all this stuff. Like I may not break into that one.
but the few houses down the street, the one that doesn’t have cameras or security guards, or they just have one lock, like that would be an easier hit. So is that, does that open up a door of maybe a thought process of, these, are maybe some companies out there that might be opening themselves up to more vulnerability because even like, and I know this maybe has transitioned. It’s not necessarily about like the board, but it just kind of made me think that
If we’re not talking about it with our board of directors now or our leadership, maybe we’re also not doing things within the organization to keep us secure, which allows the doors to be open or maybe easier to succumb to an attack. Is what I’m saying make any sense? that kind of like a thought process that you can run with there?
The CISO (12:50)
Yeah, it does. mean, that’s why I, you know, SEC, there’s, I mean, I know that they made it a requirement. They actually made it a requirement that you are required to have somebody on your board now with security experience, like you’re required to. I don’t know how many companies have actually
you know, complying with that. But I do know, because I see it, that there’s a whole bunch of like requests for people, you know, for a board. There are, when they’re looking for board members now, they’re looking to see if somebody has some cyber experience in their background. If you don’t have somebody on your board with cyber experience, you need to get someone.
Like you need to add it. You know, you need to replace a board member or add a board position. Right. that’s not, that’s, you know, that’s actually one of the requirements now. ⁓ so you need to do it. and it’s what you said, right? Like it’s how fast can that house get a cyber person on their board? Right. Because they’re looking and, and this kind of talks about the culture of the company because top down.
Culture starts from the top and it goes down, right? Like what kind of leaders you have. So if you make cyber important at the top, that direction goes down to the teams as well and then comes back up, So definitely, houses that don’t have any cyber leading, like leading them are going to be a little easier for…
you know, for threat actors, you know, bad actors and threats too. It’s gonna be a little bit easier. They’re gonna keep knocking. And then when they find a house that doesn’t have a strong leader, like insecurity, they know that, hey, this house probably doesn’t have, you know, doesn’t have like special locks that like, you know, biometric locks that this house, you know, might have, might have a…
a back door open, right? Because nobody’s checking for that. So yes, absolutely. That makes sense.
Actual (15:01)
So we’re giving our, ⁓ we’ve hit on a few points and if we can kind of gather some of the topics we’ve discussed and wrap them in action steps or as we call it our marching orders for the listeners here, we’ll just hit some points of the clock is set for 96 hours. Threat actors are filing SEC complaints against you. There’s personal liability on the table, right? There’s…
Someone on your board’s gotta be, have security experience. So where do we start? What are some of these marching orders that people can take after listening to this and kind of go and assess their organization, right? Go and kind of see if they’re doing these things and if they’re not, they can start implementing.
The CISO (15:38)
Yeah, you know, the first one is, and I talked about it earlier, is this is immediately, you know, you don’t want to wait for a breach to figure out what material means to your organization. What you want to do is sit down with your legal team, with your security IT and your board and define, right, your thresholds for reporting. Like what are the criteria that you, you know, that you need to meet in order for it to be a material, material event?
right, that requires reporting. That will right away, you know, ensure that when something happens and you go and you file, it’s consistent. Number one, it’s consistent, right? It’s not who’s in charge of reporting today. It’s, you know, it’s consistent. And if you need to, you can share that with the regulators. So now because they will use your definition, they will not use their own, right?
they will come in and ask you, you know, like, okay, why did you choose to report this at this time? So that’s number one. Number two is do a full scale, like incident response, tabletop exercise, include your board. I’ve seen so many companies run exercises and they do not include their board. So, you know, so that’s number one. I mean, of course, watch your six, we can do it. We’ve done many of those kinds of exercises.
So, you know, that would be the first thing is schedule that and run it, include your board in your exercise. Don’t just test IT, right? Don’t just test that, hey, we have disaster recovery and we can restore the technology, right? But actually do a joint like business continuity and DR, include your legal team, include your PR, include your board, understand from, you know, top down.
What are all of the touch points? And then include like, again, when would you disclose? Who’s making that decision? So that way there isn’t any surprises when a breach happens.
Actual (17:40)
The perimeter is now the accuracy of your disclosures and the speed and or the intelligence of the timing of your response. So when hackers are reporting you to the SEC, ignorance is not a legal defense. It could be seen as an admission of guilt. So mission success is about audit readiness before the fire starts. So let’s go ahead and execute to the standard and we’ll see you next week.
