Part 4 of a four-part series on cyber resilience in the mining and metals industry. Read the series here.
In the previous three articles in this series, I discussed the importance of building a resilient cybersecurity program and the need to build cyber resilience into operations. This final article will discuss the third and most often ignored component of the cyber resilience triad: communications.
Two areas where communications can impact an organization’s overall resilience are: proactive communications regarding security programs and communications during a cyber-related incident. Historically, most mining companies have not discussed security much. However, that is beginning to change. New rules from the U.S. Securities and Exchange Commission (SEC) require companies listed in the United States to proactively disclose key information about their cybersecurity programs and provide disclosure should a material incident occur. Even for organizations not subject to the new SEC rules, investors will begin to expect this level of disclosure from all companies, and these disclosures will start to factor into investment decisions.
However, beyond investors and disclosure, effective communication regarding a cyber-related incident can have a major impact on the incident itself, as well as the impact on your company and the industry as a whole. Cybercriminals rely on the threat of shame and embarrassment to help extort companies for ransom payments, timing their threat of disclosure to have the most significant impact possible. For example, immediately before or after quarterly reporting periods, around major announcements, regulatory decisions or other potentially vulnerable points. By proactively disclosing an incident, this power is taken away from an attacker, allowing you to ensure the disclosure is on your terms, with your messaging and under your control. No longer is the choice to disclose or not to disclose; the choice now is who will get to make that disclosure—you or your cyber attacker?
Best practices for routine disclosure filings
For routine SEC disclosure requirements, the goal is to ensure that your investors are informed about: (1) your organization’s cybersecurity risks; (2) the risk management processes you have in place to deal with them; and (3) the level of expertise within your board (governance) and management (execution) so that investors can assess the competence of your organization to deal with those risks.
Here are some dos and don’ts to attain those three goals.
- Your cybersecurity risks:
DO: Identify how cyber risk integrates into your enterprise risk management system.
DO: Identify your membership in a member-based organization such as Mining and Metals-Information Sharing and Analysis Centre (MM-ISAC) as a part of that risk management process, as industry risk information and sharing is critical to effective risk management.
DO: Identify the broad type and scope of third-party assessments, evaluations, simulations and other work carried out in your organization.
DO NOT: Identify any organizations as part of your risk management process unless you have a membership, retainer or other agreement with them. It is not sufficient that you “plan to call them” if there is an issue.
- Your risk management processes:
DO: Paint an accurate picture of the potential risks from cyber-related incidents.
DO: Reflect on the impact of past cyber-related incidents to inform risks going forward, but also include the improvements you have made to your controls and environment that might reduce the likelihood or impact of that risk.
DO NOT: Identify any impact as “impossible.” Phrases such as “attackers cannot impact production systems at our operations” set you up for significant issues should this happen.
- The level of board and management expertise:
DO: Identify any cyber expertise on your board and/or in the committee that provides oversight of those risks.
DO: Disclose the type and frequency of reporting to the board.
DO: Provide information on any third-party board advisors retained by the board for cyber issues if the board does not have this expertise itself.
DO NOT: Discuss reporting that is incomplete or has not happened yet. Once again, only disclose what you do at the time of reporting.
DO: Describe the role of your chief information security officer (CISO) or other security leader, their reporting relationship(s) and, if they are not members of the management team, how that information gets to the rest of management.
DO: Describe the composition and scope of your information security management committee. Who is on that committee, and what is their remit and authority?
DO NOT: Overstate the influence of the security leader in your organization. Suppose your security manager reports to a director, who reports to a CISO, who is part of your management team, and the senior management team never hears directly from this individual. In that case, your disclosure should reflect this relationship between reporting and communication.
Best practices for disclosure of an incident
While the expectation of the SEC and other regulators is the disclosure of “material” incidents, the definition of “material” is subjective. One piece of guidance I often give to security teams is that if an incident is significant enough to inform your CEO, senior management and/or board, it is substantial enough to report. It is best to err on the side of overdisclosure. If you report an incident that results in a movement of your share price, then it was, by definition, material and needed to be reported. If you report it and nothing happens to your share price, then the overreporting has no consequence.
The other thing to consider is the value of early and complete disclosure of your incident response. Much of the impact that cyber attackers have—particularly ransomware operators—is their ability to “name and shame” the victim organizations at a time and in a venue of their choosing. This could extend to reporting to regulators. There have been a number of cases where an attacker has reported an incident to the SEC or other regulators when a victim organization fails to. By proactively disclosing the incident, you can take that power away, control the narrative and reduce the stress on management and the response team.
By disclosing and controlling the narrative, you also benefit from “turning down the volume” on random, chaotic communication. By proactively informing all stakeholders, your organization’s leadership’s limited time and cognitive capacity can remain focused where it should be—on resolving the incident and preserving operational resilience, not answering random questions and requests from regulators, employees, shareholders and other stakeholders.
Key guidance for making proactive incident disclosures:
DO: Develop press releases and regulatory templates ahead of time to make the reporting cycle easier to manage.
DO: Ensure consistency in all statements. Press releases and disclosures must match.
DO: Disclose early and update as things change. It is okay not to have all the information at the beginning.
DO: Accurately reflect the known impacts on the business.
DO NOT: Speculate on impacts before they are known. Statements such as “We don’t believe customer information was impacted” made early in the investigation set you up for needing to walk them back later.
DO NOT: Provide technical information irrelevant to the general investor.
A positive change
In short, the new SEC disclosure expectations represent a change from the status quo for many mining organizations. However, I believe it is a positive change for our industry. Not only will it improve transparency for the investor community, but if implemented well, it will also reduce some of the leverage cyber attackers have against organizations.
If your board or management team does not have cyber expertise, that expertise can be obtained on a part-time basis from a virtual CISO service through an industry association like MM-ISAC or from a commercial service.
Regardless of your organization’s size, investors and regulators expect not only clear disclosure of cybersecurity risks and how a company deals with them, but also for that risk to be governed at the highest level of the organization. Beyond that, clear and proactive communication will serve to blunt some of the reputational and financial impact of a cyber incident, taking away the ability of an attacker to extort through disclosure and reducing the stress and distraction to incident response and business continuity teams.
Rob Labbé is the CEO and CISO (chief information security officer)-in-Residence at MM-ISAC.