The U.S. Securities and Exchange Commission (SEC) has adopted new rules aimed at ensuring public companies promptly disclose cybersecurity breaches that could impact their financials. The rules mandate disclosure within four days of identifying a breach, with exceptions allowed if immediate disclosure poses national security or public safety risks. Annual disclosures on cybersecurity risk management and executive expertise in the field will also be required to safeguard investors.
SEC Chair Gary Gensler emphasized the importance of consistent disclosures, citing the potential material impact of cyber incidents on businesses. The new rules aim to bring more transparency to the growing risk of cyber threats and may encourage improvements in cyber defenses. However, smaller companies with limited resources might face challenges in meeting the requirements.
Under the new rules, the clock starts ticking on the four-day reporting window only after a company determines a breach is significant. The U.S. Attorney General can approve delay in disclosure if it poses substantial national security or public safety risks, but such extensions cannot exceed 60 days.
Not all SEC commissioners were in favor of the new requirements. One dissenting Republican commissioner, Hester Peirce, expressed concerns about the SEC's authority and the potential for hackers to exploit detailed information on cyberrisk management. Peirce also cautioned against the SEC becoming too involved in micromanaging company operations.
The rules were initially proposed in March 2022 after the SEC recognized the escalating risk of breaches amid increased digitization and remote work. While certain critical infrastructure operators and healthcare providers are legally obliged to report breaches, no federal breach disclosure law currently exists.
In a recent IBM report, the average cost for organizations to handle breaches was found to be $4.5 million, with a 15% increase over the past three years. The Ponemon Institute researchers revealed that impacted businesses typically pass these costs on to consumers, who might also be victims of stolen personal information in a breach.
The new rule's passage coincides with the aftermath of a major data breach caused by Russian cybercriminals targeting a widely used file transfer program called MOVEit. Numerous organizations, including universities, government agencies, and major companies, have been impacted by the supply chain hack, raising concerns about third-party application security. The new SEC rule acknowledges the increasing reliance on outside cloud services for data management and storage.
Tara Wisniewski, EVP, Advocacy, Global Markets and Member Engagement at (ISC)² shared:
"While we support the fundamental principles of public disclosure to inform and protect shareholders, customers and other constituents, the SEC ruling is worryingly vague. It poses more questions than answers, and may create ambiguity for cyber professionals.
There are no concrete definitions for which cyber incidents must be disclosed, or what the SEC means by “material impact.” There are millions of attempts on businesses daily, some unsuccessful, others partially so. Without clearer definitions, the rules are open to interpretation which could either lead to over-reporting, distracting cyber professionals from their main task of network protection, or under-reporting, which could expose cyber professionals to personal liability.
Additionally, the board oversight requirements, in our view, do not go far enough, and we would like to see a more formal framework for board oversight responsibilities. The ambiguity only creates more burden for overworked and under-staffed cybersecurity professionals, as boards and corporate leaders will increasingly rely on them for interpretation of the guidance.
So while we support collaborative efforts to protect consumers, the importance of cyber threats and the complexity of management requires very clear guidelines with detailed definitions so cyber professionals do not inadvertently fall afoul of well-intentioned regulation. Cyber professionals are looking for clarity, and this ruling falls short in that regard."
###