[00:00:00] Stan Wisseman: So this is Stan with Reimagining Cyber. I'm here with Rob with another episode.
Rob Aragao: Stan, how is it going today?
Stan Wisseman: It's going all right. I mean, again, I think the, the, the weather has changed here in Virginia.
[00:00:13] Rob Aragao: I see that. I see, I can see your window behind you and I see the leaves coming down and I was actually just looking out my window.
[00:00:19] It's one of those days with that wind gust comes through and it starts taking down these leaves rather quickly.
[00:00:25] Stan Wisseman: It's the depressing part of the year where you have done all this work, picking up the leaves, and then you see all these other leaves piling on top, and it's like, I just had the yard cleaned!
[00:00:34] So yes, it's that time of year.
[00:00:36] Rob Aragao: It's the reality that we're also a month away from the potential white stuff starting to drop on the ground
[00:00:39] Stan Wisseman: Hey, if you lived in Denver, it's already there. There you go. Today, we'll be talking about the cybersecurity that is actually going into effect in December. It's sort of like revisiting it, right, Rob?
[00:00:52] I mean, we've talked about this before
[00:00:53] Rob Aragao: That's right. That's right. We talked about it actually at the very beginning of the year when it was being proposed, right, Stan?
[00:01:00] Stan Wisseman: But now it's not proposed anymore. It's actually moving forward
[00:01:02] Rob Aragao: It was adopted, yeah. So, so we covered it very early part of the year. We you know, then it was adopted in the mid summertime frame and mid of December, it's going into effect.
[00:01:13] Right and I think it's important just to kind of revisit some of the key areas of the SEC cyber rule that, that, that really people are kind of wrapping their heads around right now. You know, the, the first one is the disclosure period, right? And that, that's actually set with a four business day timeframe associated to what's kind of referred to as a cyber incident that is deemed to be material.
[00:01:38] So it has some significant impact either on financial or operations of that organization.
[00:01:44] Stan Wisseman: so let's just pause there and break that down. First off, do you Personally, think that 4 days is enough time to confirm a breach and understand its impact and be able to coordinate notifications. I mean, I, that's a, that's a very rapid [00:02:00] response.
[00:02:00] Rob Aragao: I agree. It's a very, very tight window to get, you know, kind of all that set of detail included because they're, they're looking, you know, they're looking for details around, you know, what the actual scope is of this breach to the other, the actual timing interval. And, and, you know, that's, that's a very, very difficult task.
[00:02:17] Thank you. You know, I think for majority of organizations to try to adhere to
[00:02:21] Stan Wisseman: and we all know that, you know, the, the 1st announcement of a breach or understanding that a breach has occurred usually is not the way we end up understanding what happened. Right? I mean, there, there is, there is a lag
[00:02:35] in that understanding of how the breach occurred, what the impact is, and, you know, it's going to be interesting as far as how the SEC handles this probably a trickle of information coming in of initial notification but recognize hopefully they recognize it. That impact assessment is going to continue to evolve as they continue to respond to the incident.
[00:02:57] Rob Aragao: No, absolutely. And I think that, you know, we're kind of [00:03:00] starting to see some indications of that. But, you know, the biggest thing that came out of this too wasw hat's the definition of materiality, right? Right, what does that really mean? And, and it's, it's still a bit gray, of course. We'll figure it out as we go along the way.
[00:03:13] But, you know, the way it's defined really is, it is some sort of kind of real, you know, major impact from a financial or operational point of view. Typically, what it ties back into is you know, what that public organization would have shared and notified their shareholders of through an 8K. And again, they're also needing to actually file an 8K
[00:03:33] in association to this breach occurring in this, this material event occurring, let's call it. The other thing, though, that was interesting at the very beginning of when they were proposing this was the, the potential that there was going to be an actual, you know, cyber security person that had to be having a seat on the board part of the committee.
[00:03:54] Right? They literally had to be someone that was a cyber security individual of some sorts. They kind of [00:04:00] leaned back a little bit when they actually, you know, adopted it again over the summer timeframe. And now it's more of sharing. Yeah. What relevance and experience someone may have. In the area of cybersecurity, that is part of your, you know, your management committee, your board and so on.
So kind of, you know, they, they peeled the it back of a bit. , t[00:04:18]
Stan Wisseman: heir proficiency, basically cybersecurity. And I think the challenge there is that you may have one or more board members that have a high level understanding of cybersecurity, right? But how much true awareness do they have of what the organization's doing?
[00:04:36] And so, I mean, it's, it's, it's like, they may be able to report to the SEC that yes, we have a board member that has awareness of cybersecurity based on a previous role of another organization. But is that really as relevant in the context of today, the responsibilities they have in this organization for which they're a board member, they may be able [00:05:00] to understand the context of an incident better, but they may not have true insight into what the controls are and how they are not the effect.
[00:05:10] Rob Aragao: Absolutely. Because I mean, you know, their particular role and duty for that board could be completely different than what it was at some other, you know organization that they actually sat on with a kind of technology, if you will, voice at the table. Right? So absolutely. 1 of the things I think is really interesting to see is Clorox and the security incident that occurred there and the approach that they've taken
[00:05:35] as it relates to the SEC cyber ruling there, they're almost a test case at this point
[00:05:40] Stan Wisseman: I'll be, I'll be honest. I'm not familiar with what Clorox is doing. So what are they doing?
[00:05:46] Rob Aragao: with their security incident that occurred again over the summertime frame Clorox actually has released three separate 8k filings.
[00:05:56] Okay. The first one was in the mid August timeframe [00:06:00] where it was the notification that there is a material event that has occurred and that has actually been attributed to some sort of cyber incident that's impacting their operations. Right? So again, back to materiality. That is deemed as a material event.
[00:06:14] That's kind of, you know, something that they typically would have done in some sort of case to communicate the 8K There's, there's, there's an issue that's happened. So step 1, they got that out the door and that's kind of the statement, right? Just, just general, there's a cyber incident, right?
[00:06:28] Stan Wisseman: Okay. So, so they're really not even trying to more
[00:06:31] Rob Aragao: details. It was an announcement. Okay. We've raised our hand. We're acknowledging the symptoms going on. We're sharing that there's something and it's under investigation. And it basically was we've initiated working with 3rd party to assist us.
[00:06:43] Right? Fast forward about a month later, mid September. So timeframe, they provided a general update that it's kind of still under. Investigation and what's happening. The last one, beginning of this month of October, they're going through and they're actually sharing their Q1 fiscal 24 [00:07:00] preliminary results, their financial results.
[00:07:03] So I'm going to call out a couple areas that they filed within that 8K and how it impacts their business from a cyber perspective. So they explicitly are calling out here that their operations update following the previously announced cyber security attack that impacted their company's business translated into net sales that have decreased or expected to decrease by 28 to 23 percent year over year, this is due to the impacts of the cyber attack that was disclosed in August.
[00:07:40] So again, they explicitly are calling that out. Gross margin now expected to be down from year a quarter. And the impact, again, attributed to the cyber security attack that's taken place, the impact on the specific offset of the pricing benefits that they've had in the past, the cost [00:08:00] savings, the supply chain optimization, right, diluted net earnings per share, adjusted EPI, I mean, it goes on and on, and it's specifically, each time, each of these bullet points, they cite that right back to the cyber incident.
[00:08:16] So that's why I say this is kind of almost like that initial case study of what we're seeing in the way that they've gone through. It's kind of it's pretty good. If you think about it, what they've done, right? Right. And but then again, what the ramifications you're starting to see are on that financial operational, you know, which are huge, huge,
[00:08:34] Stan Wisseman:
[00:08:36] I think, I think 1 of the other things that maybe a sleeper here is, obviously the, the current round of cybersecurity rules and the, and what the SEC has responsibility for is directly impacting public companies. Right. And all private companies though, need to have their, you know, ears up here [00:09:00] because the SEC does have a willingness to stretch.
[00:09:04] their, you know, regulatory perimeter over to include private companies. And there was a case this last year where a lawsuit involved the private law firm Covington and Burling, and the SEC demanded the names of the clients caught up in the cyber attack. And so they really, you know, it's not, it's not a public firm and yet the SEC is getting involved and asking more
[00:09:29] Rob Aragao:
[00:09:30] Yeah. Yeah. You know, I think when we talked about this, Again, earlier this year, when it was proposed, you know, I believe we both kind of looked at it as this is where they were trying to really start putting some teeth on getting, you know, cyber quote, unquote, regulation put in place because everything's going to kind of piecemeal with different regulatory bodies.
[00:09:50] Right? And so this is a way for them to really kind of drop the hammer. Now, we'll see. You know, kind of where these things go and these examples and penalties happen. One thing to call [00:10:00] out, though, is it's important to understand this is obviously, as you mentioned, specific to public companies. They are giving the smaller entities and I don't know the specific thresholds, but the smaller kind of business entities
[00:10:13] 6 month reprieves, so they won't be kicking in until June of next year.
[00:10:18] Stan Wisseman: where's that? Where's that cut off?
[00:10:20] Rob Aragao. I don't know. I didn't see the specific detail. The threshold is kind of associated to how they're cutting that that off and giving them that additional time frame, but 1 additional area that ties back into this whole topic is, you know, the Fair Institute has done a lot of work in the past, and then, you know, this from cyber risk quantification, putting in place models and frameworks to support and help people with that. And they came out with their own Fair Institute, if you will, my materiality assessment model, and it covers, I believe, about 10 different kind of focus areas you know, things around impacts for, you know, loss of revenue disruption to your business fraud as part of that reputational [00:11:00] damage as part of that, and it goes on.
[00:11:02] Then it extends, and this is really interesting, so it extends to kind of they launched a website called How Material Is That Hack? And they currently have 5 examples up there where you have of 8K filings.
[00:11:16] so you have Clorox, you have MGM, Caesars, and a couple others.
[00:11:20] Stan Wisseman: and Caesars and MGM also did their 8K case?
[00:11:25] Rob Aragao: Already? Oh, yeah. Oh, yeah. So, so what they did the Fair Institute did it on this, on this website. It's again, you know, take it with a grain of salt.
[00:11:32] It's early, they're trying to do some interpretation, if you will. But what they're doing is they're trying to show what the actual estimated loss would equate to. And based on the information that they've seen, you know, again, I mentioned the Clorox findings, right, is what they're putting out there as part of their earnings report.
[00:11:48] And so if you take a look, you know, with what they've put for Clorox, they're saying that the estimated loss will range somewhere between about 225 million to 200 and close to 70 million or so. Right. And, and [00:12:00] they do things in a way, which is kind of interesting. They do like a primary and a secondary cost model.
[00:12:04] So the primary costs are things that you can attribute back towards loss of revenue, increase your operational costs, your response costs of the incident, right? The secondary costs are more so like, you know, could be some legal ramifications, legal fees, penalties, reputational damage, which is tough to measure, but that's kind of how they categorize that.
[00:12:24] If you take a look at MGM. Then Caesar. So if you look at MGM, MGM's number is most likely to be 200 to about 250 or so million. Caesar's is the one that actually said, Hey, we're going to actually pay the ransom and continue to operate. We can't take the impact. Their actual, most likely costs are right around at the high a hundred million dollars.
[00:12:49] Stan Wisseman: because I, because, because I, because I think the ransom was like 30 million. Yeah. And I, and, and there may be other costs associated with the incident, but it wasn't. A big operational cost to [00:13:00] them in the end,
[00:13:01] Rob Aragao: And you take a look at again now, MGM and MGM is close to about 300 million proposed impact financially.
[00:13:08] And we all know kind of what happened there and the elongated timeframe and impacts and negotiation didn't go so hot, if you will. But again, you know, everyone makes their own decisions and how they're going to deal with these incidents. It's just showing some different kind of relative metrics and costs on what those impacts could equate to.
[00:13:23] Stan Wisseman: So it's interesting as far as how we. In the past, when you try to assess the impact of a breach or a potential breach, many times we leverage the ponemon kind of estimate of, you know, how much per sensitive record the cost is, and then you determine how much sensitive information potentially you are processing or storing, and then you can come up with a swag at
[00:13:48] what the potential breach cost would be for that organization. This, I think, sounds like it's a bit better of approach as far as more comprehensive than just being tied to the [00:14:00] data.
[00:14:00] Rob Aragao: Yeah, I think so. Again, it's still early, right? They, they just launched this, but I think if you look at some of the risk calculations that they've put in there, again, they've referenced it back to their, their they call it the MAM, the materiality assessment model.
[00:14:14] They map it out to those 10 different areas and then the subcategories within those 10 different categories, if you will. And each of those is where you have kind of a sliding bar of making the projected cost associations so you can kind of play for your organization So you can kind of play with what those potentially could look like for you.
[00:14:30] They're making, again, these proposed numbers that they're putting out there based off of they're seing and reading within these different filings at this point.
[00:14:36] Stan Wisseman: And then over time, that data set is going to increase. Rob, I have to admit, I'm a little, I'm disappointed that they weakened the board requirement
[00:14:48] as far as having somebody with real cybersecurity awareness and knowledge sitting on the board. But, you know, as far as overall, I think what's got, you know, approved [00:15:00] and is going to be implemented is probably a 7 out of 10 As far as what. You know, hopefully we'll make an impact and move the needle
[00:15:07] Rob Aragao: Yeah, I, I think I'm close to you there.
[00:15:09] I'm probably an 8 out of 10. The reason I say is because at least it's a shift. It's an attempt to improve, make improvements. I agree. I would have liked to have seen, you know, a seat at the table much more effectively. I think the disclosure period is interesting to see, but if you take a look at the early examples of, hey, we're raising our hand to tell you that there's something that's happening or
[00:15:26] we're basically investigating. We're aware of it and we're, we're doing our part. So that's a, that's a good sign. But again, I think at the end of the day, it's, it's going to be, I do believe more emphasis and focus on the reality of the cybersecurity, you know, kind of landscape in each organization going forward.
[00:15:44] Stan Wisseman: It's going to be more difficult to hide it under a bushel. I mean, I, I think, I think let's face it. I mean, if nothing else, it raises the visibility as opposed to all these things that are occurring, especially ransomware attacks that we don't really actually see in the press. [00:16:00] Absolutely. Hey, Rob
[00:16:01] great talking to you about this. Again, I think we'll continue to track it but again, for our listeners, go back to the previous episode where we talked about it at the beginning and compare to what we are now going to have, actually, as a real rule, as in December.
[00:16:16] Rob Aragao: Till next time, Stan.
