The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed.
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."
To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."
They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts.
"The key word here is 'material' and being able to determine what that actually means," Safe Security CEO Saket Modi told The Hacker News. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels."
That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."
The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by U.S. companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
In recent months, more than 500 companies have become victims of a cyber attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.
Tenable CEO and Chairman, Amit Yoran, said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability."
"When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Yoran added.
That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks.
"The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," James McQuiggan, security awareness advocate at KnowBe4, said.
"Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours."
"Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan added.