The U.S. Securities and Exchange Commission this week announced new rules mandating the disclosure of cybersecurity incidents as well as ongoing risk management, strategy, and governance.
The rules, which will become effective 30 days after publication, require public companies to disclose any cybersecurity incident they determine to be material within four business days, detailing its nature, scope, timing, and actual or expected material impact.
Delays in disclosure are only permissible “if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” according to the SEC.
Separately, the new Regulation S-K Item 106 requires public companies to detail their processes for identifying and managing risks from cyber threats, the role of management and the board of directors in managing such risks, and the potential impact from cyber threats and from any previous cybersecurity incidents.
A Focus on Shareholders
Stressing the potential impact of an incident on shareholders, SEC chair Gary Gensler said in a statement that a cybersecurity incident can be as material to investors as a company’s factory burning down in a fire.
“Currently, many public companies provide cybersecurity disclosure to investors,” Gensler said. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Still, Exabeam CISO Tyler Ferrar told eSecurity Planet by email that he’s hopeful the rules will benefit consumers too by encouraging better security.
“With the new rules in place, companies may be more incentivized to avoid the reputational damage and potential drop in stock value that could follow a public breach disclosure,” Ferrar said. “This added layer of accountability can thus create a safer environment for consumers’ personal information.”
Also read: Network Protection: How to Secure a Network
National Data Privacy Law Still Needed
Traceable AI CSO Richard Bird said the new rules are an insufficient response to a much larger problem. “Rather than exhibiting the courage and coordination required to create something as crucial as a national data privacy law, once again agencies like the SEC are pushing for faster breach notifications in the hopes that the American people will think the government is addressing the need for stronger cybersecurity,” he said. “But breach notices are not security – and never will be.”
The problem, Bird said, lies in viewing security through a rearview mirror. “Breach notices are an outcome, not a protection,” he said. “The enormous resistance of our federal government to mandate basic security principles as a requirement for doing business in our nation is inexcusable. It is time for it to treat cybersecurity as a proactive measure rather than an afterthought.”
The Biden Administration has proposed a national data privacy law as part of its cybersecurity strategy – but such a law would face resistance in the current divided Congress.
See our guide to Security Compliance & Data Privacy Regulations
Getting Ready to Respond
Safe Security CEO and co-founder Saket Modi said by email that organizations will need to move fast to be ready to follow the new rules, particularly since it may not be easy to determine what the key word “material” actually means. “Most organizations are not prepared to comply with the SEC guidelines, as they cannot determine materiality, which is core to shareholder protection,” he said. “They lack the systems to quantify risk at broad and granular levels.”
However, KnowBe4 security awareness advocate James McQuiggan pointed out that while the requirements may seem aggressive, they’re far more lax than those in many other countries. “Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident,” he said. “In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours. Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when.”
Private Companies May Be Affected
The focus on shareholders creates something of a two-tier cybersecurity regulation system between public and private companies – and their customers.
But Jeffrey Wheatman, senior vice president and cyber risk evangelist at Black Kite, said private companies should also take note of the new rules, since they may be working with customers or vendors who will need to comply with them.
Key steps for such companies to take, Wheatman said, include the following:
- Speak with security teams and find out what security and risk management programs they have in place — this should also be articulated to the board and C-Suite.
- Create a process for drafting 8-Ks (a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the SEC) faster, which can include a template for different types of breaches and attacks to meet the deadline for reporting them.
- Put a cyber expert on the board of directors — right now, this role is often missing on the board and can help expedite and manage security challenges.
- Have an automated solution in place to help you fully understand and manage third-party risk — this will help get ahead of breaches and identify compliance and security gaps before they become a point of compromise for your organization.
Read next:
