To many, the new SEC rules that require public companies to disclose “material” cybersecurity incidents within four days of determining their materiality may seem like a challenging, if not unreasonable, demand. Ransomware attacks, in particular, come without warning. In the early days after an attack is revealed, employees at affected companies can feel shell shocked and unsure which way to turn. It can take days to just gather intelligence about the event and properly measure an attack’s true impact on the company.
Still, the rules should be considered a fair step based on the number of cyberattacks that continue to take place and the threats they pose to investors of public companies. According to Astra Security, a cyberattack occurs every 39 seconds, with less than a minute to mitigate attacks it’s no wonder cybercrime is predicted to cost companies $9.5 trillion by 2024.
Looking closely at the SEC crackdown, it could prove to be just the nudge companies need to finally prepare the kind of proper incident response plans (IRPs) that would help them with fast-turnaround reporting. The number of companies that haven’t done so is higher than you’d think.
One study, by FRSecure, determined that only 45% of companies have incident response plans in place. That number drops to 40% for companies with 100 employees or less. And, amazingly enough, it’s even lower (38%) for companies with more than 500 employees – the types of companies that are more likely to be publicly traded.
A second study, by Statistica, broke the issue down further, showing a wide range of IRP preparedness for specific kinds of incidents. More companies have put plans in place for DDoS attacks (65%), followed by malware (57%), phishing (51%), insider incidents (46%), business email compromise/CEO fraud (36%), disaster recovery (35%), supply chain attacks (32%), and advanced persistent threats (29%).
All of these threat types are covered by the new SEC rules. You have to report them, and you have to track how your leaders prepared to prevent them.
Per the new SEC rules, public companies must now follow these specific cybersecurity disclosure guidelines:
- Disclose cybersecurity incidents within four business days and describe their nature, scope, timing and material or likely material impact.
- Detail processes for assessing, identifying and managing material risks from cybersecurity threats.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks.
One stipulation in the rules that has caused confusion is when the four-day clock starts ticking. It doesn’t start immediately after a breach is discovered – only after it’s determined to be material. The definition of “material” can vary case by case, but legal experts say most situations will show clear evidence that a breach has caused material damage to a company’s finances or brand reputation.
So, even though companies may be able to claim a few days’ grace period while they assess an incident’s material impact, they have to move quickly following an attack. That can be done only if they have response plans in place.
The value of developing such a plan is clear. Not only will you be better prepared to report an incident in a timely manner – you can minimize its impact and stand a better chance of getting your operations back up and running. That can have a huge affect on the bottom line. According to an IBM study, organizations that implement a cyber incident response plan save an average of $2.66 million per attack.
Of the six key elements any incident response plan should include, the most important to the SEC announcement is setting a clear plan for communicating what’s happened with the affected parties. Prompt communications will help mitigate longer-term consequences such as loss of credibility and punitive damages. Actions to take once you’ve discovered an incident include:
- Assemble your resources: Gather all available information, meet with a predesignated committee of internal leaders, and prepare specific communications for specific audiences.
- Communicate internally: Inform all affected employees and functions immediately and notify them of steps taken to contain the incident. Issue regular updates.
- Notify relevant authorities: Report the incident to local, state or national law enforcement officials as required by local ordinances. Relevant authorities now include the SEC. Ensure you meet all legal obligations regarding specific privacy and data protection regulations.
- Communicate externally: Notify customers and business partners of the incident and release appropriate information regarding the extent of the damage. Note that it’s common for criminals demanding ransomware to threaten to release confidential information to coerce victims into paying the ransom.
- Be transparent: While it is natural for companies to want to hide damaging information, news of cyberattacks inevitably gets out. Transparency minimizes harm to reputation, helps investigators and provides affected parties with an opportunity to take steps to protect sensitive data.
Incident response plans should also include all the basic cyber protection elements: preventative measures, shoring up detection and response capabilities, containment strategies, eradication strategies, risk assessment updates, and moves to recover data and restore your systems so you can get back to work. Organizations should also perform periodic tabletop exercises to practice and perfect response procedures, so your organization can communicate relevant details within required timeframes.
Four days might seem like a long time to respond to a business email or a family member’s request for a favor. But it’s not long when you’re forced to act under the pressure of an SEC mandate. Companies should put a priority on preparing incident response plans that will help them meet compliance and possibly save their business.
