Wall Street in New York showing cyber incident reporting proposal

New Cyber Incident Reporting Requirements for Listed Companies: SEC Calls for 4-Day Window for Publicly Traded Companies

The Securities & Exchange Commission (SEC) is looking to standardize cyber incident reporting requirements for publicly traded companies, and one of the lead proposals would give these companies a four-day window for reporting issues.

The proposal comes as part of a package of amendments that addresses cybersecurity risk management, strategy, governance, and incident reporting by public companies. Cyber incident reporting is already done for the benefit of investors by many of these companies, but the SEC is looking to establish a more regular and predictable system. The new rules would bring some other changes as well: periodic follow-up reporting requirements, regular reporting on policies and procedures to identify and manage cybersecurity risks, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

SEC proposal lays out new cyber incident reporting requirements for listed companies

The cyber incident reporting proposal has been opened to a public comment period, set to last until May 9. Interested stakeholders are able to submit paper comments by mail to Washington, by email or via an online form at the sec.gov website.

The proposal cites the new and emerging risks of the “digitally connected world” as the need for the revision of cyber incident reporting rules: increasing digitalization of operations, remote work becoming much more common, increased reliance on cloud services, and increased opportunities for cyber criminals to monetize attacks and receive payments. The paper also notes that these attacks now potentially have a major impact on critical infrastructure, national security and the economy.

As Casey Ellis, Founder and CTO at Bugcrowd, notes: “This is a significant development: the SEC is recognizing and emphasizing the direct impact a company’s cybersecurity posture can have on its value. More importantly, the recommendation refocuses their advice on addressing breaches as a “when, not if” matter, promoting transparency rather than avoidance. In many ways, this reflects what we’ve seen from firms and organizations who have made vulnerability disclosure and transparency a standard, and are now regarded as the most secure, trustworthy, and valuable in the market.”

The paper also notes something backed up by numerous surveys and studies conducted in the last two or three years: cyber attack costs are rising substantially. Business interruption expenses, ransom payments, remediation, insurance, litigation and reputational damage costs are all up substantially as ransomware has roared back to life.

United States investors appear to have a particular interest in cybersecurity as well; the paper names it as the most critical governance-related issue at present. Investors are now considering factors such as investments in cybersecurity technology, cyber incident reporting practices, risk management, and strategies for defense and mitigation.

Guidance pertaining to the Securities Act and Exchange Act from the SEC to date has been interpretive, with staff guidance issued by the Division of Corporation Finance in 2011 and followed up with the 2018 Interpretive Release as an expansion. If the new cyber incident reporting terms are adopted after the comment period, it would be the first firm regulations of this type.

Tim Erlin, VP of Strategy at Tripwire, notes that this fits with an ongoing Biden administration trend but that there has also been pushback toward this sort of thing: “The proposed SEC rule fits well into this trend around cybersecurity reporting requirements, but fast isn’t always better, and with cybersecurity, fast is almost never accurate. Cybersecurity incidents are complex, and difficult to investigate. Getting a complete picture takes time. While the headline may be a 48 hour reporting requirement, the SEC rule also includes an interesting requirement to provide updates “if any previously reported information about a significant cybersecurity incident becomes materially inaccurate or if the adviser discovers new material information related to an incident.” The public disclosure of these additional details as they are uncovered will provide more value to the industry than the initial reporting requirement. Organizations can only learn how to protect themselves from similar attacks if they understand what happened.”

James McQuiggan, Security Awareness Advocate for KnowBe4, adds: “A ransomware attack may impact production, triggering the reporting requirement and starting the clock ticking, however, in those four days, organizations may not be aware if data was stolen, what type of data may be at risk, if the bad actors have been removed the system or any number of critical factors that may impact the severity of the event. This could lead to guesses and incorrect information being reported, which could be more harmful than waiting a little longer to determine the actual impact to the organization.”

Large variance in voluntary disclosure practices cited as factor

The SEC paper takes some time to note that organizations have been varying widely in their cyber incident reporting practices, indicating that this was a factor in deciding to take a firmer regulatory stance in this area.

The paper notes some interesting trends. For example, smaller companies generally provide  less detail in their disclosures as compared to larger companies, and industries that tend to suffer high-profile cyber attacks actually tend to be among those that voluntarily disclose the least amount of information.

Level of detail in reporting apparently varies greatly from company to company, and some are attempting to “camoflauge” cyber incident reporting by blending it in with other unrelated disclosures in the apparent hopes of evading investor attention. The SEC finds that things have generally improved following the release of the 2011 and 2018 guidance, but cyber incident reporting nevertheless often contains “insufficient detail” and does not happen in a timely enough manner.

In addition to prompting companies to do the right thing with a regulatory nudge, an SEC spokesperson said that there was a “special relevance” to improving cyber incident reporting standards at the moment due to the Ukraine situation. Russia has yet to engage in large-scale cyber warfare against countries that support Ukraine, but security experts anticipate it as a possibility should the country take offense at arms or equipment supplies.

Specific information that would need to be disclosed within the reporting window (should the new measure ultimately pass) includes the date the incident was discovered, whether or not it is ongoing, a “brief description” of the nature and scope, whether any data was stolen or altered, the effect of the incident on the registrant’s operations, and whether the incident has been remediated or is currently in the process of remediation. The “periodic disclosures” of the impact of cyber threats would be required quarterly in 10-Q reports as well as in the annual 10-K report.

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, summarizes what else publicly traded organizations can expect from this development: “The SEC’s amendment proposals reinforce the importance of being incident response ready and not just have a plan, having a solid backup and recovery strategy that includes ransomware mitigation, enforcing strong identity and access security controls, and ensuring auditing and compliance best practices are prioritized. The proposals however appear to treat data breaches and cybersecurity incidents all equally rather than a risk based which is a big surprise. We know that the impact and severity of data breaches and cybersecurity incidents can vary significantly depending on the scale and type of data impacted.  Organizations are really going to need to ramp up their incident response plans to be incident response ready as many organizations even after 4 days of discovering a data breach are still trying to identify the impact so reporting an incident at the same time will require quick incident response capabilities.”

SEC chairman Gary Gensler has also previously stated that this is part of a longer multipart plan designed to strengthen general cybersecurity regulations, and that further regulatory updates may be coming as well as new requirements for consumer information protection.