Just as individuals and organizations were digesting the implications of the massive Equifax data breach, the Securities and Exchange Commission (SEC) dropped another cyber-bombshell last week, announcing a serious compromise in 2016 of “EDGAR,” the Commission’s system for housing documents filed by publicly traded companies. Just a few days later, global accounting giant Deloitte announced that it, too, had experienced a data breach. It goes without saying that we should expect more and more of these announcements – from organizations large and small, from businesses and government agencies – all underscoring the fact that cyber-based threats continue to evolve at an alarming pace, and no entity is truly immune to these threats.

There is no overstating the irony of the SEC’s announcement, coming against the backdrop of its own increasingly tough cybersecurity requirements. More importantly, this latest development turns a spotlight on the critical question of breach disclosure timing. While many in the security community have criticized Equifax for taking six weeks to disclose its breach, the still emerging facts of the SEC incident suggest that disclosure lagged nearly a year behind the actual breach. That unexplained delay seriously erodes the credibility of regulators as they try to compel timely disclosures by businesses.

The seemingly feverish attempt by regulators to demonstrate to the public that they are moving aggressively to address cyber issues is already raising major concerns. Many would argue that regulators are creating an environment that prioritizes the threat of legal sanctions against public companies for non-compliance over a focus on constructive efforts to improve cyber defenses and properly monitor for existing threats.

For example, major landmark cybersecurity regulation such as New York State’s Department of Financial Services NYCRR Part 500, and the looming European Union’s General Data Protection Regulation, are implementing sweeping changes to the way PII is handled by businesses, combined with the threat of severe financial penalties for non-compliance or mishandling of PII. While some might argue that this type of regulation is long overdue, does it incentivize the type of behavior we want from the private sector? Or is it widening the chasm between public/private collaboration over cyber matters, which the Cybersecurity Information Sharing Act of 2015 or “CISA,” was attempting to mend.

While the recent Equifax and SEC incidents have raised more questions than answers, one thing is clear: individuals, businesses and governments, cannot achieve 100% data security. Arguably, we have reached the point where the digitization of our personal and professional lives has outpaced the capacity of security measures and regulation designed to protect that data. Still, organizations must continue to harden their defenses and test their readiness for major cyber incidents.

Many in the cybersecurity community believe that cyber simulation exercises – better known as “table top exercises”—are among the best tools for businesses to test their readiness. The events of the past two weeks have provided some of the best scenarios for such exercises, and businesses should be closely analyzing some of the behaviors we have observed and questioning whether they would have acted differently. As these episodes continue to develop (or unravel, depending on how you look at it), there are some key questions businesses should consider:

• People versus Process Breakdown: Top people at the SEC – the acting chairman, commissioners and the COO – purportedly knew nothing about the breach. Was that a failure of process or people? Did the SEC actually have in place the kind of internal reporting and disclosure procedures it demands of the companies it regulates? In the Equifax incident, where was the breakdown in board oversight and internal controls that should have prevented the post-incident liquidation of stock by key executives, regardless of their knowledge of the incident? These episodes should prompt senior executives and corporate directors to question their own level of confidence regarding the sufficiency of procedures, the quality of their people, and the strength of their compliance culture.
• Duty of disclosure: What exactly is your company’s disclosure priority? If your organization experienced a data breach as large and widely publicized as Equifax’s and the SEC’s, would you take the self-preservation approach and only disclose what is required by law? Or would your priority be to the customers/clients whose data has apparently been compromised, so they can take corrective steps as quickly as possible? Regardless of the answer, are senior executives and the board at your organization sufficiently explicit about their priorities? Can your business act quickly when faced with a cyber crisis and avoid a difficult debate after the fact while under unimaginable pressure from regulators, shareholders, customers and the press?
• Timing of Disclosure: Both Equifax and the SEC have been heavily scrutinized for their delay in publicly disclosing these incidents. However, this is one area that arguably has no right answer. Many factors such as law enforcement investigations, multi-jurisdictional issues, and proper breach quantification all play into the equation. While there’s never a good time or way to disclose a data breach, it’s particularly painful when forced to do it multiple times. Many of the retail breaches that occurred between 2010 and 2014 were immediately followed by rushed disclosures consisting of inaccurate figures; each update with additional data simply prolonged and exacerbated the publicity. Organizations need to understand how quickly they can quantify the impacts of a breach, and whether they have data properly classified and cataloged to aid in an investigation.