They’ve been detailed, debated, and fretted about for months, but as of today, the Securities and Exchange Commission’s new set of rules dictating how and when public companies must disclose “material” cyberattacks go into effect.
The new regulation and the SEC itself have gotten their share of blowback from companies worried that the rules – which includes disclosing a breach within four days of it being deemed by the victim company as material – will be expensive to abide by and may open them up to more cyber-risks by disclosing information about the attack and the company’s response.
That said, there are also proponents who argue that at a time when the number of cybersecurity incidents and their severity continue to grow, regulators, investors, and the public should know in a timely fashion about attacks that could cause significant losses to the companies.
“The new SEC cybersecurity disclosure rules represent a noteworthy advancement in corporate transparency and investor protection,” John Pirc, vice president at cybersecurity firm Netenrich, told Security Boulevard. “By mandating timely disclosure of material cybersecurity incidents, and the requirement for detailed annual reporting on risk management strategies, these rules bring clarity and standardization to how public companies report cybersecurity issues.”
Callie Guenther, senior manager of cyberthreat research at Critical Start, said the four-day reporting deadline for breaches “is ambitious, aiming to ensure timely disclosure to protect investors and the public. However, it can be challenging for businesses, especially since the initial days following a breach are often focused on containment and assessment.”
Breaches can vary in their complexity and scale, and it won’t always be immediately clear whether an attack is significant enough to require a report to the SEC, Guenther said.
“This short timeframe could lead to either over-reporting or under-reporting as companies rush to comply,” she said.
The SEC finalized the regulation in July, requiring that public companies must report cyber-incident to the agency on a Form 8-K report, including such details as what the incident involves, the timing, and its material impact. In addition, companies each year will have to outline the cybersecurity processes, management, and strategy they have in place.
Smaller companies don’t have to comply until mid-June.
Even months after the SEC approved the rules, there is confusion about parts of it, including how to define what makes an attack “material.” Erik Gerding, director of the SEC’s Division of Corporate Finance, recently wrote a blog post hoping to clear up some of the questions, including why new regulations were even necessary.
“Cybersecurity risks have increased alongside the ever-increasing share of economic activity that depends on electronic systems, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology,” Gerding wrote.
In addition, AI and other advanced technologies will enhance both companies’ capabilities to protect themselves and the ability of threat actors to launch complex attacks. In addition, the SEC noted that the cost of cyberattacks to companies and investors is growing.
The new regulation also is part of a larger government-wide effort led by the Biden Administration to shore up cybersecurity within the federal government and influence what is done in the private sector.
Gerding wrote that the SEC took into account the need for timely disclosure of incidents without detailing information about planned responses to the attack, cybersecurity systems, networks and devices, or possible system vulnerabilities to the point where it would hurt the victim company’s ability to respond or remediate.
The four-day reporting deadline falls in line with other material decisions by companies, from significant deals to bankruptcy. Similarly, the use of the materiality standard for disclosure makes it consistent with other federal security laws, rather than create a new standard for disclosure, Gerder wrote. The definition has changed over the years, with the SEC in 1982 defining materiality as information where there is “a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.”
That said, companies can delay reporting if doing so would pose a national security or public safety risk, with the FBI being involved in the decision to delay.
Nakul Goenka, risk officer at cloud zero-trust company ColorTokens, told Security Boulevard the rules offer some flexibility in what is considered a material incident, but “we might also see some litigation based on decisions taken by the management teams. It will be interesting to see how these rules are actually applied and whether the benefits will offset the costs and burden.”
Now companies will have to determine how best to respond to these rules.
Dana Simberkoff, chief risk, privacy and information security office at security firm AvePoint, said a detailed communications plan will improve how information is shared internally and externally, create trust with customers, and keep the security team in front of threats.
“That plan absolutely must take compliance around disclosure into account,” Simberkoff said. “It’s critical to establish a clear vulnerability reporting policy for your customers, to communicate associated risk and protocols in case of an exploitable vulnerability that must be addressed.”
Such proactive communications that assess and report platform vulnerabilities provides customers transparency, while “giving customers straightforward guidelines to report security vulnerabilities not only helps identify and track areas of risk, but also furthers your organization’s commitment to security for customers,” she said.
Recent Articles By Author