With the new cyber incident disclosure rules from the Securities and Exchange Commission coming into effect, managed security service providers — MSPs that focus on security oversight and management — are expected to play a critical role in helping their clients meet these requirements.
Under the new rules, public companies must file an 8-K form within four business days after a company determines that a cyber incident will have a material impact on their business. Companies will also need to disclose in their annual 10-K reports processes for assessing, identifying, and managing material risks from cybersecurity threats, along with details about board of directors’ oversight of risks.
Analysts say security-focused MSPs could support both of these disclosure processes by providing information and data relevant to materiality determinations, breach reporting and threat mitigation strategies. The new requirements will also give MSPs opportunities to offer consulting expertise, particularly around governance and policies to determine the material nature of incidents.
“MSPs are going to have a crucial role in helping companies comply with the SEC requirements, because they're really the experts in cybersecurity management and monitoring,” said Avani Desai, CEO of cybersecurity assessment firm Schellman. “They're helping companies implement robust processes, controls and they do regular cybersecurity assessments.”
MSPs, she said, should proactively review the SEC compliance framework to identify any gaps, and systematically review current network infrastructure to make sure all the relevant firewalls are in place, patches are up-to-date and a firm has a data-loss prevention system.
The stakes of a cyber event have risen and MSPs can help clients strengthen their cybersecurity approaches beyond incident detection and response, including ongoing preventative measures, said Joe Nocera, partner leader of cyber risk and regulatory marketing at PwC US.
MSPs won’t likely be the party deciding what incidents are material to the business, but analysts say they can offer clients crucial data to support decision making, including the extent of data loss and the sensitivity of compromised information or personally identifiable information lost in an attack.
“The managed security service provider will be held accountable if they do not provide the proper data and reporting back to their clients,” in the aftermath of a cyber event, said Travis Lee, senior director analyst at Gartner.
With criminal investigations, however, external reviewers could be called in.
In forensic investigations, for example, external experts would typically carry out a detailed review, said Lisa Sotto, a partner at law firm Hunton Andrews Kurth LLP.
MSPs could face liability in the event of a cyber incident “if it is determined that they failed, when setting up or managing a system, to take reasonable measures to protect the relevant systems and data,” she said.
Board reporting on cyber strategy
While MSPs may be expected to report to clients once a breach takes place, some MSPs say the 10-K requirement associated with the SEC guidelines will likely generate the greatest volume of work associated with the new requirements, especially under a tight deadline to produce this year’s report. 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15.
In the 10-K, companies will need to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats, along with previous cybersecurity incidents. Companies also need to describe managers’ and board of directors’ oversight approach of risks from cybersecurity threats.
MSPs say this could be a major burden for firms needing to report on tight deadlines.
“This is such a short window to document and put in writing [clients’] risk management, their risk treatment efforts around cyber such that the board can effectively sign off,” said Justin Williams, managing partner at Denver-based managed security services provider Optiv.
The 10-K board reporting requirement puts the company's broader security approach under greater scrutiny after a breach. After reporting a cyber incident, a regulator might say, “let's look at what you wrote in your 10-K in terms of how you manage that risk,” said Williams.
The effort involved in detailing the board's approach to cyber threat management and response is likely to be significant, especially when the chief information security officer has limited influence over it, said Neal McCarthy, senior consultant at Atlanta-based managed security services provider Secureworks.
A boon for MSPs with consulting services
The new disclosure guidelines are likely to generate additional work for MSPs, which may need to be spelled out in contracts.
Managed security service providers can upsell customers on additional analysis and oversight services, helping companies determine the materiality of cyber incidents and adhere to SEC requirements, according to Lee. Using their wealth of data and expertise, MSPs also can help client firms develop guidelines and policies for determining the materiality of cyber events, he said.
These types of services most often fall in the consulting services category, offerings boutique MSPs have been looking to grow in recent years.
“The managed security services provider should provide this in their security consulting portfolio … as there are many MSPs that are just implementation and delivery,” said Lee. Large consultancies see this as a regulatory opportunity to differentiate themselves and win new customers, he added.
EY, for example, told CIO Dive that its wide-ranging consulting services offerings are likely to be an asset for clients looking to develop procedures, plans and policies to meet the new requirements.
This includes translating technical information in a format accessible to senior executives to help them make informed decisions, said Dave Burg, EY Americas cybersecurity leader.
“It plays perfectly alongside the EY strategy of blending many different kinds of technical skills together to solve hard business problems very efficiently and effectively,” he said.