The new cybersecurity disclosure rules from the U.S. Securities and Exchange Commission (SEC) train a spotlight on the growing material impact of cyberthreats and cybersecurity on companies and investors. Generally, the rules require public companies to promptly disclose material cybersecurity breaches and to provide annual disclosures regarding the company’s cybersecurity strategy, risk management, and governance. Under the new rules, public companies must provide:

• A disclosure in Form 8-K with information regarding a material cybersecurity incident within four business days after the incident is deemed material.
• An amendment of a prior Form 8-K disclosure of a cybersecurity incident to add any required information that was not unavailable when the initial Form 8-K was filed.
• Annual disclosures in Form 10-K describing the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity. threats and previous cybersecurity incidents.”
• Annual disclosures in Form 10-K describing “management’s role in assessing and managing material risks from cybersecurity threats,” and “the board of directors’ oversight of cybersecurity risks.”

Although the SEC’s rules do not apply to private companies, these rules highlight the importance of an engaged and knowledgeable management and board toward the cyber health of a company. Moreover, all 50 states and the District of Columbia have laws requiring businesses to notify individuals whose personally identifiable information (PII) may have been leaked in a cyber breach — regardless of whether the business is public or private, making the appropriate response to a cyber-incident a company-wide priority.

With the growing frequency and sophistication of cyberattacks, nontechnical managers and board members can no longer relegate the company’s cybersecurity policy and strategy to the IT department. A company’s cybersecurity posture must be elevated to the C-suite and the board.

One of the most effective ways to help management and board members develop actionable cybersecurity strategies and consider proper responses for likely cyberthreats is to run a tabletop exercise (TTX).

What Is a Cyber TTX?

Cyber TTXs are role-playing exercises designed to simulate real-life scenarios and provide participants with an opportunity to prepare for potential cyberthreats. In today’s high cyberthreat environment, conducting regular cyber TTXs is as essential for a company’s safety as its regular fire-alarm tests and fire-safety drills.

When conducting a cyber TTX, it is a good idea to practice both responding to a cyberthreat to avert a successful cyberattack and responding to a successful cyberattack. This way, participants can identify potential ways to strengthen cybersecurity as well as be reminded of incident response best practices.

While many companies have a cyber-incident response plan, it can become outdated and ineffective if it is not subjected to a yearly cyber TTX:

• Turnover of personnel means that new people may not be proficient in the role assigned to them in the response plan
• The plan may not be current if it is not updated to account for recent trends in cybercrime or new cybersecurity technologies implemented in the company
• The plan may not be current with respect to how the company conducts its business now (e.g., migrating sensitive information to the cloud or allowing employees to work remotely)

In addition to keeping the response plan current, conducting cyber TTXs provides several other benefits, including strengthening collaboration between different departments, identifying vendors or subject-matter experts who can help respond to a cyberattack, and setting up mechanisms for faster communication with consumers in the event of a breach.

To get the most out of a cyber TTX, it is helpful to have individuals fill several roles:

• Participants – the people who actively role-play in the exercise. It is best for individuals to assume the positions they hold in real life, such as CEO, communications director, IT manager, and so forth.
• Facilitators – usually a cybersecurity subject-matter expert who provides the rules of the exercise and facilitates the discussion by asking questions and providing relevant information.
• Note-takes and observers – individuals who are not actively participating in the exercise but who can provide feedback and support the progress of the exercise with questions and relevant expertise.

The cyber TTX creates a process of feedback and iterative improvement. Because it is an experiential learning tool, it allows participants to identify potential weaknesses in the company’s response to the cyberthreat and correct it. If the TTX is run again with the corrective measure, it is possible that other elements may now be strengthened and improved, too.

A Cyber TTX is a Bridge Between the IT Department and the C-Suite

Cybersecurity requires the vigilance of users, the dedication of IT professionals, and the strategic vision of management. A cyber TTX is an excellent opportunity for demonstrating how cybersecurity must be a shared responsibility. Moreover, through participation in this experiential exercise, managers and directors can appreciate the practical and strategic aspects of cybersecurity — a topic that may seem esoteric and highly technical to many.

A cyber TTX is especially helpful for nontechnical managers and directors because it is based on concrete, real-world scenarios and bring home the real-world consequences of a cyberattack. Indeed, many of the response elements being practiced through a cyber TTX are not IT-related at all, but rather involve internal and external communications, compliance with notification laws, business-continuity planning, financial security, and so forth.

When coupled with an annual training program about the newest trends in cyberthreats and cybersecurity technology, cyber TTXs empower managers and directors to set a proactive cybersecurity agenda that will help align the company’s strategic business goals with the need to keep it safe from cybercrime.

Holding Regular Cyber TTX Sessions May Prevent Expensive Investigations Down the Line

Identifying and fixing cybersecurity and cyber-incident response gaps through a cyber TTX can pay significant dividends down the line. In addition to increasing the likelihood of thwarting a successful cyberattack, it can minimize the chances of a costly and prolonged investigation by regulators in the event that the company’s cybersecurity measures are breached in a successful attack.

For example, state attorneys general (AGs) are very aggressive in investigating cyberbreaches and data leaks because such leaks have significant negative impacts on consumers. These investigations can be prolonged, complex, and expensive. When settling such investigations, state AGs have often required a cybersecurity plan that includes regular cyber TTXs.

Conducting cyber TTXs before a breach occurs helps reduce the company’s response time — giving it a better chance for complying with legal deadlines for its communications with impacted consumers. In addition, regular cyber TTXs demonstrates the company’s commitment to cybersecurity best practices. These factors may help stave off an AG investigation.

If you would like to adapt the SEC’s new reporting rules for your cybersecurity program, we can help. Contact Dr. Ronald Menold, Director, Cybersecurity Services, to discuss the best options for implementing these rules internally. For questions regarding reporting obligations for SEC reporting companies, please contact our Capital Markets & Securities Group. For more information on the SEC’s cybersecurity rules, please refer to the following alert.