EXPERT POINT OF VIEW — The Cyber Initiatives Group (powered by The Cipher Brief) filed national security-related comments in support of the Rules proposed by the SEC regarding cybersecurity risk management, strategy, governance and incident disclosure by public companies this week. The official file is below.
Commentators, led by former National Security Agency general counsel Glenn Gerstell, to understand Kelly Bissell, Global Head of Security Services, Microsoft Corporation, HON. Sue Gordon, former Senior Deputy Director of National IntelligenceMatt Hayden, former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience, GENERAL Michael Hayden (retired), former director of the Central Intelligence Agency and the National Security Agency, HON. S. Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and AnalysisRichard H. Ledgett, Jr., former Deputy Director, National Security Agency, RAdm Mark Montgomery (retired), former Cyberspace Solarium Commission Executive Director and Debora Plunkett, fFormer Director of the Information Assurance Directorate of the National Security Agency.
Join the directors of the CIG during our Virtual Spring Summit on Wednesday, May 25e and engage with public and private sector leaders on issues ranging from potential Russian-initiated cyber operations and critical infrastructure protection, to combating the ransomware explosion and managing third-party vendors. The event is a free, registered event. Book your place now.
File Number S7-09-22 – Comments on Proposed Rule
The undersigned submit these comments in support of the objectives of the rules regarding cybersecurity risk management, strategy, governance and incident disclosure by public companies proposed by the Commission on March 9, 2022 (the “proposed rules”) .
The undersigned are directors of the Cyber Initiatives Group, a committee formed and sponsored by The Cipher Brief, a private media outlet that engages with the private sector in the United States to promote awareness of cybersecurity and national security issues. Many of us are currently directly involved in cybersecurity issues in the private sector and have significant experience in the policy and operational aspects of cybersecurity; many of us have served at the highest levels of our nation’s armed forces or intelligence community, while others hold leadership positions in the nation’s top cybersecurity companies and technology providers. (We are writing as individuals and the affiliations listed below are for identification purposes only.)
Our purpose in submitting these comments is to support the objectives of the proposed rule, to inform the Commission that, in our view, national security concerns are a valid and important rationale for developing the rule, and to emphasize that the proposed rule has the potential to benefit not only investors and registrants, but also, and in our view more importantly, our national security. In doing so, we do not comment on the scope, regulatory burden or other technical aspects of the proposed rule – as others can better address those details. We are, however, able to comment on the national security ramifications of a better cybersecurity posture for public companies.
As the Commission notes in its information statement accompanying the proposed rule, “[l]Large-scale cybersecurity attacks can have systemic effects on the economy as a whole, including severe effects on critical infrastructure and national security.
All of the undersigned are aware of the technical sophistication of our cyber adversaries and believe that this will continue to increase, imposing greater risks on our nation. In this regard, we note that the U.S. Intelligence Community Annual Threat Assessment (dated February 7, 2022) cited the cyber malice of four adversarial nation states – China, Russia, Iran and North Korea – as the most significant threats. Unfortunately, as the adversarial threat grows, so does our vulnerability, as we increasingly rely on digital technology in all aspects of our business, government, and personal lives. The advent of the Internet of Things and the vast amounts of data that is generated, stored and used by 5G telecommunications technology, artificial intelligence and potentially quantum computing (to name but a few developments), will create additional attractive targets for malware. cyber activity, increasing the risk to our country’s infrastructure, businesses and citizens. Much of this technology is owned and operated by public companies. These vulnerabilities can directly affect our national security.
We believe the objectives of requiring up-to-date reporting of significant cybersecurity incidents, as well as periodic disclosures regarding (1) a registrant’s policies and procedures for identifying and managing cybersecurity risks, (2) the role leadership in implementing cybersecurity policies and procedures and (3) the board’s cybersecurity expertise and oversight of cybersecurity risk, are appropriate and are likely to improve the cybersecurity posture registrants. SOEs own critical infrastructure, operate or manage key businesses in all industrial, agricultural, and service sectors, and in many ways are the backbone of the U.S. economy. Therefore, improving cybersecurity within public enterprises translates directly into a more cybersecure and cyber-resilient national economy. It stands to reason that requiring additional reporting on significant cyber incidents will better inform investors, the general public and government agencies, and increased disclosure on cyber policies and board experience will encourage companies (and by extension, private companies, at least to some extent) to meet or even exceed market expectations in these areas.
By their intrinsic nature, these benefits are not easily quantifiable, but the absence of precise measurement cannot in this case be a reason to deny what is manifestly obvious and logical. We believe that these benefits to our national well-being are essential and can and should be taken into account in the Commission’s policy-making and rule-making.
We understand that interested parties will have differing views on the scope and other technical aspects of the proposed rule and, as noted above, do not express an opinion here on those matters. But we would like to stress that any effort to standardize and harmonize notification and disclosure with other requirements (such as those to be implemented under the Cyber Incident Reporting for Infrastructure Act 2022 reviews) will obviously have the effect of increasing robust compliance with , and furthermore the objectives of the proposed rule.
Sign up for the Cyber Initiatives Group newsletter. Better results in cyber require better thinking. Join experts in the new public-private cyber ecosystem as we educate and create a new cyber future. Sign up for the IGC Newsletter today.
Read more expert-led national security news, insights and analysis in The encrypted brief because national security is everyone’s business.