最后更新于2022年9月13日星期二20:25:19 GMT
The SEC 最近提议 一项规定,要求所有上市公司在确定事件严重后四天内报告网络安全事件. While Rapid7 generally supports the proposed rule, we are concerned that the rule requires companies to publicly disclose a cyber incident before the incident has been 控制或减轻. 这篇文章解释了为什么这是一个问题,并提出了一个解决方案,使美国证券交易委员会能够推动公司披露信息. Rapid7也提交了 向证券交易委员会提出的意见 on this issue.
(Terminology note: “Public companies” refers to companies that have stock traded on public US exchanges, and “material” means information that “there is a substantial likelihood that a reasonable shareholder would consider it important.” “Containment” aims to prevent a cyber incident from spreading. 遏制是“mitigation,” which includes actions to reduce the severity of an event or the likelihood of a vulnerability being exploited, 虽然可能无法完全补救.)
In sum在遏制或缓解重大网络安全事件之前公开披露可能比延迟公开披露对投资者造成更大的伤害. We recommend that the SEC provide an exemption to the proposed reporting requirements, enabling a company to delay public disclosure of an uncontained or unmitigated incident if certain conditions are met. Additionally, 我们解释了为什么我们认为其他拟议的解决方案可能不符合SEC透明度和避免损害投资者的目标.
[Check out our summary and chart of incident reporting regulations here.]
通过默认的公开披露来区分
The purpose of the SEC’s proposed rule is to help enable investors to make informed investment decisions. This is a reflection of the growing importance of cybersecurity to corporate governance, 风险评估, and other key factors that stockholders weigh when investing. With the exception of reporting unmitigated incidents, Rapid7 largely supports this perspective.
The SEC’s proposed rule would (among other things) require companies to disclose material cyber incidents on Form 8-K,公众可通过 EDGAR system. Crucially, the SEC’s proposed rule makes no distinction between public disclosure of incidents that 是被遏制还是被缓解 还有一些事件 尚未得到控制或缓解. While the public-by-default nature of the disclosure creates new problems, it also aligns with the SEC’s purpose in proposing the rule.
In contrast to the SEC’s proposed rule, the purpose of 大多数其他事件报告规定 is to strengthen cybersecurity – a top global policy priority. As such, most other cyber incident reporting regulators (such as CISA, NERC, FDIC, Fed. 储备,OCC, NYDFS等.) do not typically make incident reports public in a way that identifies the affected organization. 事实上,一些规定(如 CIRCIA and the 2021年TSA管道安全指令) classify company incident reports as sensitive information exempt from FOIA.
超出了规定, 既定的网络事件响应协议是为了避免向攻击者告密,直到事件得到控制,进一步损害的风险已经减轻. 比如, 中钢协事件应变手册 (特别是关于opsec的部分)和 NIST的计算机安全事件处理指南 (特别是第2节).3.4). 出于类似的原因, it is commonly the goal of coordinated vulnerability disclosure practices to avoid, when possible, public disclosure of a vulnerability until the vulnerability has been mitigated. 看,例如, 协调披露CERT指南.
While it may be reasonable to require disclosure of a 控制或减轻 incident within four days of determining its materiality, a strict requirement for public disclosure of an unmitigated or ongoing incident is likely to expose companies and investors to additional danger. Investors are not the only group that may act on a cyber incident report, 这些信息可能会被滥用.
Smash and grab harms investors and misprices securities
Cybercriminals often aim to embed themselves in corporate networks without the company knowing. Maintaining a low profile lets attackers steal data over time, 悄悄地在网络上横向移动, steadily gaining greater access – sometimes over a period of years. But when the cover is blown and the company knows about its attacker? 忘记保密, 这是粉碎和抢夺的时间.
公开披露未缓解或未控制的网络事件可能会导致攻击者行为,对投资者造成额外伤害. Note that such acts would be in reaction to the public disclosure of an unmitigated incident, 而且不是原始攻击的自然结果. For example:
- 粉碎和抢夺: A discovered attacker may forgo stealth and accelerate data theft or extortion activities, causing more harm to the company (and therefore its investors). 考虑一下MS-ISAC的这段话 2020勒索软件指南: “Be sure [to] avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. 如果不这样做,可能会导致攻击者横向移动,以保留他们的访问权限,或者在网络离线之前广泛部署勒索软件.”
- 焦土: A discovered attacker may engage in anti-forensic activity (such as deleting logs), hindering post-incident investigations and intelligence sharing that could prevent future attacks that harm investors. From 中钢协的剧本: “Some adversaries may actively monitor defensive response measures and shift their methods to evade detection and containment.”
- Pile-on: 宣布公司有事件可能会导致其他攻击者探测公司并从原始事件中发现漏洞或攻击向量. 如果事件还没有缓解, the copycat attackers can cause further harm to the company (and therefore its investors). From the CERT CVD指南“仅仅知道某些产品特性中存在的漏洞,就足以让熟练的人自己发现它。. 关于漏洞的谣言吸引了具有漏洞发现技能的知识渊博的人的注意-并且不能保证所有这些人都会考虑用户的最佳利益.”
- 供应链: 公开披露未缓解的网络安全事件可能会提醒攻击者注意其他公司存在的漏洞, the exploitation of which can harm investors in those other companies. 在四个工作日内公开披露重大事件的“性质和范围”,可能会暴露出足够多的零日漏洞细节,否则就会受到鼓励 重新发现和重新实现 by other criminal and espionage groups against other organizations. For example, fewer than 100 organizations were actually exploited through the 太阳风供应链攻击,但有多达1.8万个组织面临风险.
In addition, 要求公开披露未得到控制或未得到缓解的网络事件,可能会导致受影响公司的股票定价错误. By contradicting best practices for cyber incident response and inviting new attacks, 过早地向公众披露未得到控制或未得到缓解的事件,可能会使投资者对公司应对网络安全事件的真实能力产生不准确的衡量. Moreover, 在事件响应过程中过早披露可能会导致投资者收到有关事件范围或影响的不准确信息.
Rapid7 is not opposed to public disclosure of unmitigated vulnerabilities or incidents in all circumstances, and our security researchers publicly disclose vulnerabilities when necessary. However, 未缓解漏洞的公开披露通常发生在缓解失败之后(例如由于无法与受影响的组织接触)。, 或者用户应该在缓解之前采取防御措施,因为“在野外”对漏洞的持续利用正在积极地伤害用户. By contrast, the SEC’s proposed rule would rely on a public disclosure requirement with a restrictive timeline in nearly all cases, creating the risk of additional harm to investors that can outweigh the benefits of public disclosure.
建议的解决方案
Below, 我们提出了一个解决方案,我们认为该解决方案通过要求及时披露网络事件,同时避免可能因过早公开披露而对投资者造成不必要的额外伤害,从而实现了SEC保护投资者的最终目标.
Specifically, we suggest that the proposed rule remains largely the same — i.e., 美国证券交易委员会继续要求公司在发现网络事件后尽快确定事件是否严重, and file a report on Form 8-K four days after the materiality determination under normal circumstances. However, 我们建议修订该规则,使公司在符合下列各项条件的情况下,可以暂时豁免公开披露:
- The incident is not yet contained or otherwise mitigated to prevent additional harm to the company and its investors;
- 公司有理由相信,公开披露未得到控制或未得到缓解的事件可能会对公司造成实质性的额外损害, its investors, 其他公众公司或其投资者;
- The company reasonably believes the incident can be 控制或减轻 in a timely manner; and
- The company is actively engaged in containing or mitigating the incident in a timely manner.
确定上述例外的适用性,可以与确定重要性同时进行. 如果例外适用, the company may delay public disclosure until such time that any of the conditions are no longer occurring, 在这一点上, they must publicly disclose the cyber incident via Form 8-K, no later than four days after the date on which the exemption is no longer applicable. 8-K披露可以说明这一点, 在提交8-K之前, the company relied on the exemption from disclosure. 现有的内幕交易限制会, of course, continue to apply during the public disclosure delay.
If an open-ended delay in public disclosure for containment or mitigation is unacceptable to the SEC, then we suggest that the exemption only be available for 30 days after the determination of materiality. 根据我们的经验, the vast majority of incidents can be contained and mitigated within that time frame. However, 网络安全事件可能差别很大, and there may nonetheless be rare outliers where the mitigation process exceeds 30 days.
其他解决方案的缺点
Rapid7 is aware of other solutions being floated to address the problem of public disclosure of unmitigated cyber incidents. However, these carry drawbacks that do not align with the purpose of the SEC rule or potentially don’t make sense for cybersecurity. For example:
- AG delay: 美国证券交易委员会的拟议规则考虑,当司法部长(AG)确定延迟报告事件符合国家安全利益时,允许延迟报告事件. This is an appropriate delay, but insufficient on its own. 这一延迟将适用于极少数重大网络事件,并不能在绝大多数情况下防止上述潜在危害.
- 执法延误: SEC的拟议规则考虑到, 然后拒绝, a delay when incident reporting would hinder a law enforcement investigation. We believe this too would be an appropriate delay, to ensure law enforcement can help prevent future cyber incidents that would harm investors. However, it is unclear if this delay would be triggered in many cases. First, SEC提出的时间框架(在认定事件严重后的四天内)为执法部门启动新的调查或增加现有调查提供了一个紧迫的转机, determine how disclosure might impact the investigation, 然后向证券交易委员会申请延期. Second, law enforcement agencies already have investigations opened against many cybercriminal groups, so public disclosure of another incident may not make a significant difference in the investigation, even if public disclosure of the incident would cause harm. Although a law enforcement delay would be used more than the AG delay, we still anticipate it would apply to only a fraction of incidents.
- 模糊的披露: 另一个可能的解决方案是继续要求上市公司在拟议的时间表上披露未缓解的网络事件, but to allow the disclosures to be so vague that it is unclear whether the incident has been mitigated. Yet an attacker embedded in a company network is unlikely to be fooled by a vague incident report from the same company, and even a vague report could encourage new attackers to try to get a foothold in. In addition, very vague disclosures are unlikely to be useful for investor decision-making.
- 缓解后的重要性: Another potential solution is to require a materiality determination only after the incident has been mitigated. However, this risks unnecessary delays in mitigation to avoid triggering the deadline for disclosure, even for incidents that could be mitigated within the SEC’s proposed timeline. Although containment or mitigation of an incident is important prior to public disclosure of the incident, completion of mitigation is not necessarily a prerequisite to determining the seriousness (i.e.事件的重要性.
平衡透明度的风险和收益
美国证券交易委员会 广泛的列表 of material information that it requires companies to disclose publicly on 8-Ks – everything from bankruptcies to mine safety. However, 公开披露任何其他事项都不太可能引发新的刑事诉讼,给投资者带来额外的伤害. 与其他披露相比,公开披露未缓解的网络事件带来了独特的风险,应就此加以考虑.
The SEC has long been among the most forward-looking regulators on cybersecurity issues. We thank them for the acknowledgement of the significance of cybersecurity to corporate management, and for taking the time to listen to feedback from the community. Rapid7’s feedback is that we agree on the usefulness of disclosure of material cybersecurity incidents, 但我们鼓励SEC确保其公开报告要求避免破坏自己的目标,并为攻击者提供更多机会.
更多阅读:
