Simply Solving Cyber

Simply Solving Cyber - Abhishek Bharti

Aaron Pritz
Aaron Pritz:

Thanks for tuning in to simply solving cyber. I'm Aaron Pritz

Cody Rivers:

And I'm Cody Rivers.

Aaron Pritz:

And today we're here with Abhishek Bharti. He's a former managing director in a big four consulting practice focused on privacy, information, security and risk management. And, without further ado, I'd like to introduce Abhi and, maybe start with a little bit of background. Abhi, tell us about yourself, your journey into cyber and what you're passionate about in this field.

Abhishek Bharti:

Thanks, Aaron. And thanks, Cody, for that intro. Hello, everyone. My background, has been, as Aaron mentioned, entirely in the information security space. 20 years of experience in this field and, my passion in this area began after I finished my master's, uh, from by way of background. I did my education and schooling all in India and once I finished my master's, my first exposure in the world of cyber security came by way of my first job, which was for, India's largest internet service provider at that time. And also, um, you know, a collaboration with a company based in the US, which dealt with digital certificates. And that brought me to the field of cryptography and encryption and digital signatures. And that was really my introduction in this field. And ever since My passion and interest grew in this area and I never left. Post that, experience, I had a chance to work for one of the big four organizations in India, worked for them for, around four and a half years. And by working with them, I got an opportunity to have a global exposure to a lot of global clients as well as experience working in a lot of global locations. And then 14 years later, I came to the U S and had an experience here working with multiple financial institutions, by working for that big four. And as part of my experience, my focus area was on cyber security strategy, risk and compliance. And in this field, as we all know, over the last few years, we've seen lots of regulations change in the cyber security and privacy space, both in the U. S. as well as globally. So I've been actively involved in that area for a lot of time, in the past.

Aaron Pritz:

Awesome. So what would you say has been the biggest challenge that you've seen? You've been in consulting for a long time. What are some of the biggest challenges that you've seen clients struggle with? And where have you felt like in your you've given some of the most impactful advice processes solutions?

Abhishek Bharti:

Yeah, great question. I think in this area we've seen a lot of clients and people who are working in this area be familiar with a lot of standards, as well as frameworks and regulations. But the challenge I would say in my experience comes on the aspect of applying that to your organization because I know it's a consulting cliche statement on one size fits all does not one size does not fit all so but what that really transpires and means in the context of your organization is to understand how you want to tailor your capabilities within the cyber security program to the relevant risk Uh, and understand the implications of what those regulations mean. And the final part of that challenge would also be that as and when new regulations come up, I've seen, you know, organizations less mature, medium maturity to high maturity. Almost all of them struggle with the aspect that. Something new has come up and they want to start from scratch with respect to that compliance. So the program needs to be built in such a way where, you are doing the basics right. And believe it or not, even in this day and age, while we talk about artificial intelligence, blockchain, and all those emerging technologies, The number one reason for a cyber security incident to affect any organization still remains the basic block and tackle Aspects that get missed example being you know, vulnerability or patches not being applied on time So yes, there are more sophisticated attacks But there continues to be a sufficient number of missing elements on basically doing the basics right.

Aaron Pritz:

Yeah, I've totally seen that. I feel like sometimes cyber teams or new leaders want to jump to build the third story of the house. And maybe the loft with the game room and the arcade before laying the foundation to the house or maybe digging a basement, uh, may not always be the fun stuff like thousands or millions of vulnerabilities is daunting, but you are right, like that is, most of the time it's like vulnerability exploited through a human error that linked to unpatched vulnerabilities on core servers. So I think back to the basics is always one of the first things that we make sure to call out. And, you know, if those are gaps and in any kind of program,

Cody Rivers:

Yeah, Aaron, big commentary and hobby to a lot of our listeners are, folks who are new to cyber, they're growing in their cyber careers or their mature, you know, seasoned, cyber executives. But what's some kind of advice, with new regulation coming out, as people are being tasked to do more with less, what's some kind of general advice you would say for new consultants or new practitioners who are getting into the arena?

Abhishek Bharti:

Great question. I think my advice would be, continue to be a learner, continue to be inquisitive, continue to keep up with the learning. If you can't rest on past laurels, if you want to succeed in this industry and do well for you yourself in your career and as well as for the organizations that you work with, because again, it may sound cliche, but. Cyber security is so complex and changing so fast, probably fastest than any other field or in any other industry in this world that you have to keep pace with what is happening, and it does not necessarily mean that you need to know all cutting edge stuff. So, for example, you know, the latest buzzwords around quantum and the cryptography world and the crypto world. Yes, it's good to know you need to increase your awareness, but you don't all necessarily need to be become suddenly become experts in quantum right of as of now, because the whole industry will take a while before we get there. But having said that, if I compare, let's say the quantum computing buzzword with, let's say, the cloud technology. Cloud has already, in my opinion, reached that tipping point where it is applicable to most organizations. So if you are starting new in your career and you are not aware of how the cloud infrastructure operates and you are still thinking traditional data center infrastructure, then you are falling behind the curve and are not going to be as competitive in your career with respect to, moving up in the industry and getting the right jobs.

Aaron Pritz:

How do you stay up to date? How do you learn? I've been just to share my own 22nd version. I every morning I have a news aggregator. Mine specifically is feedly, but I've got specific keywords and it serves up, 10 to 20 news articles and I probably filter it down to three or four that I'll read, but that's one thing that's been helpful for myself. Consulting gives you another vector. But what are some of the best ways or tips for those listeners that you stay abreast of the latest?

Abhishek Bharti:

A couple of things. I think, news aggregator is certainly one of them. I think it's a great, tool to Get the right message at least quickly and be aware of what's happening, in the industry currently. Another thing is you can't boil the ocean, right? And there is volumes of information that you can't spend all your day reading every day. So you need to, beyond a certain point in your career, decide, Hey, Which areas do you want to focus on? And try to then, invest time specifically in that area. So the days of being too much of a generalist are gone. So you need to carve that specialization for yourself. So whether it is, strategy, whether it is regulatory stuff, whether it is identity access management, you need to pick certain areas you are keeping yourself updated on those fields. News aggregation sites are certainly important. Others I would suggest would be one, keeping up with some certifications in relevant to your sector and your industry and you to study those areas a lot more, right? So you can be, challenging yourself and making it a little bit more disciplined approach to cover those areas. And the second would be I know we all talk about networking sites and, collaborating with other folks in the industry. Making sure you follow people who are leaders in that space. So that when they are sharing any article on some of these networking sites, you are able to, pay special attention or take out time to read those articles because obviously they will be sharing something relevant, which will be useful.

Cody Rivers:

Yeah, excellent. Excellent. And well, speaking of knowledge and learning new things, one thing that we get a lot of questions about. You have frameworks change and guidance changes. But one thing I want to talk about today is the SEC cyber rule. That kind of came out and we had a large influx of how does it impact me? Is it now? Is it retro? Is a current? When does it take effect? How do I define material? So would love to kind of get your summarization, your thoughts on what leaders need to be aware of and what they need to be doing

Abhishek Bharti:

pretty great question and a great topic, I would say, which is quite relevant for a lot of companies these days. But, specifically to talk about the SEC cyber rules. So the rule that has recently been finalized by the SEC is around cyber security disclosures, and this is relevant for all public listed companies. So it does not matter what industry you are in as long as you are publicly listed, which means SEC is going to be your regulator. You are subject to these new rules on SEC cyber disclosures. The rules themselves are quite elaborate, but I'll try to summarize it for our listeners here. There are basically three parts to the rule, but before I go to the three parts, I want to spend a little bit of time explaining why this new rule was needed and why was it initiated. So in 2011 and then subsequently in 2018, the SEC did give out guidance around, being careful with cyber security risks for organizations and especially public listed organizations because obviously investors are relying on those companies to do well and are putting in their money by way of investing in those stocks. However, the SEC noticed that in spite of that guidance to, have a lot of oversight, governance and risk management around this particular cyber security risk, which was obviously in the last decade, becoming I would say a top five risk if you look at enterprise risks for any organization in this day and age, we are all reliant on I. T. Systems and with I. T. Systems and technology obviously comes cybersecurity risk. But coming back to why the rule was needed. So the SEC noticed that post 2018 when the guidance came out specifically around cyber disclosures and being transparent with those risks. Even then, the public listed companies were not being very forthcoming with respect to reporting those risks. Although, news and media coverage did talk about cyber security incidents happening at those organizations, but they were not being formally reported on a timely manner. So the SEC felt that to give them enough teeth to go after organizations for non compliance, One reason was to make it a rule so that they now have explicit authority to go after organizations that do not do it. But the intent is not for the SEC to, penalize organizations. The intent is, transparency for the investors. So before, investor invest in a stock of a public listed company, they need to be fully aware of all the risks. associated with that organization, including cyber security risks. I know enterprise risks are being talked about, leaving aside cyber, but the SEC felt cyber was important enough to be explicitly called out. As a result, they came up with this guidance in 2018, like I mentioned, but now they have made it a rule. Now let's come to what are, like, three broad expectations of these rules. The three broad expectations of these rules are That any organization that is subject to this rule has to demonstrate oversight of risk management oversight on cyber risk management. I should specify not just enterprise risk management because enterprise risk management has been around for a while, but specifically demonstrating cyber risk management capabilities and oversight. And by that, what I mean is not just conducting a cyber risk assessment, but also, regular, reporting at a decent cadence to the board, to the audit committee on what those cyber security risks look like for the organization and how is the organization geared up and prepared to deal with the cyber security risks. So that's number one broad area that the SEC expects organizations to manage. And also disclose as part of their filing to the SEC. So that's the first part of the expectation

Aaron Pritz:

Before we move on to the second. How much? I think this is a big question being discussed. How much needs to be disclosed? Is it? A couple bullets. Is it full transparency of all the job aids and details? Probably not. But the answer is always somewhere in the middle. Where do we think that middle is shaping up to be?

Abhishek Bharti:

Yes, spot on, Aaron. And the answer is definitely in the middle. I would say, uh, maybe less than the middle. And the reason I say that is this is obviously going to be sensitive information and anything disclosed to the SEC becomes public information. So Yeah. With respect to risk management capabilities and what the organization is doing, what sort of cyber risks are they facing? I think, to err on the side of caution, organizations will disclose that they are, paying attention to it, how they are paying attention to it, but may not disclose too much granular details around those capabilities as well as risks faced by that particular organization because once that information becomes public, you are indirectly putting a target on your back by disclosing too much. So very important that, individuals or committees being responsible for interaction with the SEC in terms of reporting requirements, do a collaborative session with, people from other departments and by other departments. I mean, like I expect organizations to form committees. That will have representation from financial reporting from offers finance. From cyber security, from compliance as well as legal. All these departments need to come together to come to a consensus as to what needs to be reported and how it needs to be reported because you don't want to give away too much to have a further target on your back.

Cody Rivers:

Yeah

Aaron Pritz:

I suspect like having a playbook or some sort of pre aligned plan is going to be advantageous versus winging it in mid December. Is that a fair assumption?

Abhishek Bharti:

Definitely. In fact, that is one of our common recommendations. We advise our clients to prepare for the situation. God forbid they should not get affected by a cyber security incident that forces them to report to the SEC. But. Being prepared is always better. And I know that organizations cannot think of all the possibilities of a potential cyber security incident, but at least the common ones that they have seen other organizations suffer in the past or their own organizations suffer in the past, they need to be prepared with determining how and when they will, determine whether it is reportable or not. And then what extent would they report that to, the SEC, including determining some At least initial draft language.

Aaron Pritz:

And that's on reporting, but even the risk management and governance, that's not something you need to wait on. Like figuring out what you've already done and what level of granularity that you're going to go to, report your program level information or how you communicate with the board. That's something that's even you can even prepare more near.

Cody Rivers:

Well, and I thought about to Aaron. So your point about that is I look at my definition, and I'd be love to hear your thoughts here. You've got another contract languages and stuff that you see a lot of, like data sharing agreement, you'll see incident versus event and what defines that, but you have a thing reporting material breaches. Material. So I think, Aaron, your point, helping companies define what is material for the company so they know when to report what not to report. But I think it might be a good question. So I'd love to hear your thoughts on how you define material. And I know you're not lawyers, so this is not lawyer advice, but it would love to hear your thoughts on how companies figure out to define what's material and what's not material. So in effect, what they do and do that report.

Abhishek Bharti:

Excellent question. So actually that ties very nicely with the second grouping of what the SEC's expectations for. So I'll tie your response to that part. So the second part of expectations of the SEC as we all started touching on that topic is reporting on incidents. So any and every incident that happens in your organization obviously need not be reported because one, it will overwhelm the SEC and also overwhelm the organization itself in terms of preparing for those incidents. So the expectation of the SEC is, uh, they've used that term as Cody mentioned, material incidents need to be reported. And materiality is a word quite often used in the context of this. regulation and it has been around in this space for quite a while, but I want to distinguish in terms of what the expectation of materiality is because clearly the SEC has not given a formula or exact sort of definition of how materiality would apply in the context of cyber security incident, but based on my experience of working with many clients in the space and helping and assisting them in determining what it should be, I'll share some of my insights. So the first part, as I was alluding to the word materiality has been around for a while. In the financial audit world there is a dollar value threshold that is typically defined, which sort of also ties with the enterprise risk management aspect of it on what is an acceptable level of loss that the organization can sustain without affecting its capabilities in the long term, right? So a dollar value threshold is defined. So in the financial audit world side, if any transaction mismatches that particular dollar value threshold, if it is below the threshold, it can be ignored for, easier terms to understand. But if it is beyond that threshold, then it needs to be investigated and reported to the SEC and some investigation needs to be done. So the concept is similar here where any significant cyber security incident needs to be reported. Now, how do we define that significant is really up to the organization to determine. And there is no easy answer for this as you were alluding to Cody. So the challenge becomes, one, you can apply multiple inputs to come to that determination. The most important aspect around determining this is whatever criteria you come up with needs to be documented. So the SEC, the first thing will the SEC will come to review when they examine you if you're chosen for an examination is whether this criteria was well established, documented and accepted by the senior management and the board, right? So coming up with a defined criteria. So as Aaron was saying, can we do it on the fly? No, you can't do it on the fly. You can do it on the fly. God forbid if you get selected for an examination, you will fail and it's totally impossible. You will incur the, wrath of the SEC in terms of monetary penalties. So coming back to what these inputs could be, so one could be, you know, your risk appetite based on your well established or already pre established enterprise. risk management rules that your organization may already follow, like what is your appetite for a regulatory penalty? What is your, appetite for being subject to, regulatory noncompliance? Example could be, let's say you are a healthcare organization. So HIPAA laws apply, right? So at what point do you say if 100 records worth of HIPAA related sensitive PII information was lost. Is that going to be considered significant enough? Or is it going to be a thousand records? Or is it going to be much more critical and only ten records? Or less than ten records? So, that determination has to be made internally by your privacy team, by your legal team, by your compliance team as only one of the inputs. The other possible inputs and I can't obviously go through all possibilities because it again needs to be tailored assessed for each organization Again coming back to my original comment on there's no one size fits all philosophy here So it really needs to be articulated determined and tailored for every organization. But just to give you another example It would be Are you able to quantify your cyber security incident in some manners? And if you are able to quantify it, then based on your enterprise risk level threshold, then you can say this particular in cyber incident that happened cost me, you know, 1 million and my threshold for risk appetite was 900, 000. So it has exceeded that threshold. Therefore, I need to report this, right? So that is again one of the possibilities organizations can consider as they are thinking of how to make that determination of what is going to be reportable and not reportable. And then the last thing I'll say is, on the requirement for four business days, the rule currently says you need to report any significant or material event within four business days. Does your organization currently have the capabilities once it knows about the incident to make that determination within four business days and be ready to report within four business days. So those are some things for organizations to consider as we, look at compliance with respect to this rule.

Aaron Pritz:

Yep. So if an organization has to report it once they've deemed it material. And if material, I think I've got a reference here, means that there's a substantial likelihood that a reasonable shareholder would consider it important to an investment decision, how long can an organization reasonably take to determine materiality? Because I've seen some language on there determination must be made without unreasonable delay, but that's qualified. So could I get away with a year of determining materiality? This rhetorical, uh, and then be like, Oh yes, it was, here's a year later. That's not going to solve anything. What is your read on that?

Abhishek Bharti:

Yeah, that's a great question. And again, that's the gray area that the SEC has left and people consider it as both good news and bad news. Bad news because they have not provided the clarity, but good news because it gives organizations that flexibility to come up with that determination. So I think similar to our earlier conversation, the answer lies based on what is determined to be by the organization itself, right? So tomorrow, let's say the SEC, you determine as you were giving the example, Aaron, and I will say I'll take one year to determine whether it is material or not. So the SEC will not penalize you for Determining that, you will take one year, but as part of your risk management processes, when you do end up reporting, all the investors would know that this organization, which claims to be mature enough is taking one year to determine whether it is material or not. So some of the onus on determining what is a reasonable time period automatically falls on the organization in itself. So clearly, while the SEC gives you that flexibility, you cannot have all the time in the world to make that determination. And there is additional complexity where even historical events in aggregate, if they are in future considered to be material you are expected to report to the SEC on that aspect as well. So organizations that may have determined something to be immaterial in the past year face similar incidents in the coming year. Then you are required to then create that analysis to determine all these incidents seem to be related. And therefore, in aggregate, they become material. So those are some of the challenges that organizations need to consider as they prepare their capabilities to meet these objectives.

Cody Rivers:

Yeah. And so I have a two part question coming up. So one, when does this go into effect? You know, from a hard date? And I think my follow on question would be, is there a statute of limits to it? So is it after said time, you can't go back, to a certain point in time. Not that I'm playing devil's advocate here, but if someone were to miss the four day window Is there a time they want to wait and keep it quiet when, hey, we're outside a window set your limits to report this concern?

Abhishek Bharti:

Well, I would say it based on what has been determined or documented internally as the process for the organization. So like I was saying, you can create a policy that says we will take no more than two weeks to determine or we will take no more than one month to determine whether it is material or not. So the deadline of four days cannot be missed. I would say so at a minimum you can choose to inform the SEC that yes, we feel that it is potentially a significant event, but we are still investigating or continuing to investigate, but your obligation to report once you have made that internal policy determination that this is your internal deadline to come up with a decision of go, no go needs to be honored. So to speak, you can't miss that four day deadline. You have to inform the SEC. Otherwise, you can miss it. Obviously, nobody is going to force you to recommend. But then you are inviting the SEC to come and penalize you.

Aaron Pritz:

Yeah, no, great points. I'll be as we're coming to a close here for those that are interested in learning more. We actually co authored Tim Sewell, Abhi and myself. Co authored a white paper. We kept it brief and short. I think it's three pages. But it gives some more context, to the specific language that Abhi was talking about. And it also provides some tactics of how to get ready and work through some of the challenges, especially on the governance and risk management reporting. And I think one misnomer, like you got to report that stuff as part of a separate part of this whole, cyber SEC cyber rule, you've got to report that annually, whether you have an incident or not. So there's no waiting around until you have an incident. You got to start working on what you're going to say, literally after December. What is it? Abhi 15th.

Abhishek Bharti:

Yes, December 15th is the deadline. And actually are in that kind of touches to that third pillar that I had mentioned three parts of the SEC rule. The third part is the administrative requirements of reporting using certain formalities of forms that the SEC has already pre established. So, with respect to informing the SEC about, potential sort of material cybersecurity incident, there's a Form 8K, and I'll not go into details of what the 8K is. People can Google it and see it. And then on a quarterly basis, there is another mandatory reporting requirement by the SEC, which is called the Form 10Q, Q standing for quarterly. And then on an annual basis, the same Form 10Q becomes. or is called 10K, K as in for the annual reporting requirements. So while the incident may not wait for your 10Q or a 10, you know, the timing cannot sync necessarily with the filing with the SEC on the 10Q or the 10K. That is why the SEC has an out of turn reporting mechanism of 8K to meet those four business day requirements to use that form for reporting. But on an annual basis, this is what you were alluding to, you, whether or not an organization gets faced with a cybersecurity incident, they still need to disclose their cybersecurity risk management, governance, reporting aspects. to the SEC by way of this annual filing in the 10K. And that is very important. And the last thing I'll add to all of these, which often gets missed by organizations considering, compliance requirements and capabilities, is this cyber requirements, while it has been called out as a cyber disclosure rule and as a new rule, The SEC, based on the 2018 guidance itself, has rights to come and, you know, investigate and penalize organizations that need not wait till December 15th deadline. But the missing part that often gets overlooked is when this incident, let's say, is faced, such an incident is being faced by the organization, they need to ensure that other compliance, associated compliance requirements are also being met. And controls put in, to address those requirements. And by those others, I'll specifically give one example, which is on insider trading. So, because a cybersecurity incident which is being potentially considered as significant or material for reporting to the SEC is sensitive information, the organization needs to have enough controls to ensure that this information is being shared on a need to know basis. And that no insider trading is happening, as a result of this. So the compliance department, the IT department needs to monitor the employees. To ensure that none of that happens by exploiting this information beforehand.

Aaron Pritz:

Perhaps that's because there's been arrests and indictments on such behaviors after a cyber incident. There's always a reason to these new rules, right?

Abhishek Bharti:

Absolutely. Absolutely. You're spot on.

Aaron Pritz:

Awesome. Well, Abhi, thanks for coming on the show today. Really appreciate the deep or moderate dive that we did here. And like I said, for those that want to learn more, we'll put a link to the white paper. In the show notes as well as on the social media posts so that you can go check it out and, follow up with us if you guys have any questions.

Cody Rivers:

Yeah. Abhi. Thanks again, sir. It was a pleasure chatting with you and I'm sure our listeners got some great knowledge and some great tips here for all the upcoming, rules and everything.

Abhishek Bharti:

Sounds good. Thanks everyone.

People on this episode