The U.S. Securities and Exchange Commission (SEC) on Wednesday sanctioned new rules necessitating publicly listed firms to disclose information about a cyber attack within four days if it is determined to have a “material” impact on their financial situation, signifying a significant change in the disclosure protocols for digital breaches.
“When a company suffers losses, whether due to a factory fire or a cybersecurity incident that erases millions of files, it could be material to investors,” stated SEC chair Gary Gensler. “At present, numerous public corporations provide investors with cybersecurity disclosures. I believe that a more consistent, comparable, and decision-useful method of disclosure would be advantageous to both companies and investors.”
The newly approved rules demand companies to report the incident’s character, extent, and timeline, in addition to its effects. However, this disclosure may be delayed up to 60 days if the release of such details “would constitute a considerable risk to national security or public safety.”
Companies are now required to annually detail the measures and strategies employed for assessing, recognizing, and managing substantial cybersecurity threats, outline the material effects or risks resulting from these events, and convey information regarding ongoing or completed remediation efforts.
“The term ‘material’ is crucial, and its interpretation is key,” Safe Security CEO Saket Modi commented to The Hacker News. “A majority of organizations are not prepared to comply with the SEC guidelines since they struggle to ascertain materiality, a fundamental aspect of shareholder protection. They are lacking the systems to measure risk at extensive and granular levels.”
However, the rules do not apply to “specific, technical details about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would interfere with the registrant’s response or remediation of the incident.”
First proposed in March 2022, the policy is viewed as an endeavor to increase transparency around the threats U.S. companies face from cybercrime and nation-state actors, eliminate shortcomings in cybersecurity defense and disclosure practices, and reinforce systems against data theft and breaches.
Recently, over 500 companies fell prey to a cyber attack wave led by the ransomware group Cl0p, exploiting vital software vulnerabilities commonly used in corporate settings. The threat actors employed new data exfiltration methods, as per Kroll.
Tenable CEO and Chairman, Amit Yoran, praised the new rules on cyber risk management and incident disclosure as “right on the money” and a “dramatic step toward greater transparency and accountability.”
“Given that cyber breaches can have tangible consequences and reputational costs, investors are entitled to knowledge about an organization’s activities in managing cyber risk,” Yoran stated.
However, the mandated time frame has sparked concern due to its brevity, potentially leading to inaccurate disclosures. The short time frame might allow other attackers to become aware of a vulnerable target prematurely and compound security risks.
“The SEC’s new requirement for organizations to report cyber attacks or incidents within four days appears ambitious, yet is more relaxed compared to other countries,” James McQuiggan, a security awareness advocate at KnowBe4, noted.
“Countries like the U.K., the E.U., Canada, South Africa, and Australia mandate companies to report a cyber incident within 72 hours. For China and Singapore, the timeframe is 24 hours, while India demands breach reports within six hours.”
“Regardless, it is crucial for organizations to have well-documented and repeatable incident response plans, complete with communication plans, procedures, and rules regarding who is involved in the incident and when,” McQuiggan added.