December 15, 2023
Cyber Risk

Make the Most of SEC Cyber Rules – Surprise Advice of Ex-Uber CSO Sullivan

“I could be very bitter about the idea of government regulation since I was regulated, but I also think we need it for the Internet to work well in the future.” That’s Joe Sullivan, the former CSO of Uber, in a recent interview with TechCrunch, on the journey he’s taken since a jury convicted him in 2022 of US federal crimes for concealing a security breach and ransomware payoff at the rides company. He was sentenced to three years’ probation.

Sullivan still maintains in the interview that he and Uber did nothing wrong but after a period of reflection (“I just wanted to curl up in a ball”) he came out the other side on the topic of government regulation – and living with it. Sullivan describes cybersecurity as “broken” in a way that only strong regulation, coupled with active public-private sector collaboration, can fix.

TechCrunch reports:

Sullivan praised the U.S. Security and Exchange Commission’s incoming data breach disclosure rules…noting that while not perfect, it’s much better than having zero guidance. “We can nitpick the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.”

Safe Security CEO Saket Modi agrees with Sullivan’s direction, and further suggests that CISOs don’t look at regulation as a burden but as an opportunity.

Critics of the SEC’s new rules on disclosure of “material” cyber risk have knocked the regulatory agency on two counts:

  1. Giving an imprecise definition of materiality that leaves it up to companies to set their own boundaries for when a cyber incident crosses the line to serious financial impact.
  2. Requiring companies to disclose a material cyber incident within a tight time frame within four days of determining the event crossed the materiality line.

In fact, Modi says, the regulations point companies to measuring and monitoring material risk in real-time, greatly increasing their risk awareness. “Cybersecurity was always reactive. This regulation is pushing companies to become predictive and proactive. There’s a big shift in how cybersecurity is being looked at because of the SEC rules.”

Materiality is a solvable problem, he points out, with the application of the FAIR Materiality Assessment Model (FAIR-MAM), a standard released by the FAIR Institute, the authority in cyber risk quantification. Much like GAAP, the standardized accounting practices, FAIR-MAM guides cyber risk and security teams through quantifying the detailed costs of a cyber incident, enabling organizations to predetermine materiality levels for ransomware, DDoS, business email compromise, and other typical events. With dynamic tracking of signals from across attack surfaces, any organization can also get an instant read on the material impact of a hack that typically takes weeks.

Beyond compliance, Modi adds, “a focus on materiality can have a positive impact on your risk treatment plans,” enabling prioritization among security initiatives based on return on investment and ultimately helping CISOs develop a strategic roadmap to prioritize their cybersecurity spending effectively.

New: Safe Security offers the Safe Materiality Assessment Model, based on FAIR-MAM, designed to enable security and risk leaders to present defensible, dynamically updated, quantified cyber risk reporting to regulators, the C-Suite and Board of Directors. Learn more now.