One of the most critical components of incident response following a data breach is notifying affected employees, partners, customers, and shareholders. But when and how this should occur is often a hot topic amongst security professionals.
Recently, the Securities and Exchange Commission (SEC) has taken a significant step to set disclosure guidelines for public companies who have experienced a data breach. The SEC adopted a new law requiring all public companies to disclose breaches within four days. In addition, organizations must also share cybersecurity risk management practices and executive security expertise annually.
Since news of the law broke, many security professionals have expressed conflicting opinions. In this piece, we’ll explore the policy’s strengths and pinpoint areas for improvement.
First and foremost, the ruling signifies a move toward increased transparency and heightened investor protection. A four-day disclosure period can provide investors with near real-time information, which is crucial in the midst of incident response and crisis management.
The stipulation for annual disclosure of cybersecurity risk management practices and executive expertise will also be a catalyst for companies to further, or finally, invest in robust cybersecurity measures and competence. It echoes the importance of accountability at the highest organizational levels. After all, cybersecurity is not merely an IT concern; it’s a strategic business issue that demands attention from the C-Suite and the board.
Despite being designed with investor protection in mind, there may also be indirect benefits for consumers. Improved cybersecurity infrastructure and more timely information about data breaches can help protect consumers’ data and privacy. The new rules also might incentivize companies to avoid reputational damage and potential drop in stock value that could follow a cybersecurity incident. This added layer of accountability can thus create an overall safer environment for consumers’ personal information.
Areas for Improvement:
These policies set a strong precedent for cybersecurity, financial accountability, and consumer protection. Yet, further stipulation from SEC regulation could foster greater market integrity.
There are still too many areas with leeway in interpretation. No official definition beyond “material” is given as the description for judges determining standards if a person buys or sells their shares based on the disclosed confidential information.
Additionally, this flimsy definition of “material” applies only to workers at publicly-traded corporations. The SEC should take further steps to implement the same guidelines for more parties who might be made aware of this information, for example, government officials receiving confidential information regarding a data breach. These officials should not be permitted to use this insider knowledge to buy or sell their stock in the company involved.
When a Security Operations Center discovers and escalates a security incident, that moment of mean time to detect (MTTD) is not part of the four days. The four day clock begins after the success of a data breach is determined and of sufficient scope to actively affect stock prices.
Corporations may complain that given the length of investigations into cybersecurity incidents, the four-day window may be too quick of a turnaround. Premature disclosures can spur misinformation or unnecessary alarms, hurting brand image and making the disclosure process stressful. It takes IT professionals countless hours to produce all-encompassing reports.
Though this may point to the need for timeline changes, just looking at the direct benefits of a four-day deadline for consumers shows the importance of timely releases. No matter how long they are given, companies will still complain that they have too little time. A quick timeline protects consumer interests and gives corporations an effective deadline to use as they determine changes needed to their business processes of investigation and communication.
So, will the benefits of the new disclosure rules outweigh the areas for improvement?
Most likely, yes. However, the biggest component in its success will be whether or not public companies actually comply with the guidelines.
Overall, the SEC’s new rule for public companies to report data breaches within four days is a significant step towards transparency, cybersecurity preparedness, and standardizing reporting practices. It shows that the SEC is committed to safeguarding shareholders and maintaining market confidence by confronting evolving cyber threats. Though there are areas where the policy could do with stricter specifications on rules, the SEC’s dedication to protecting its integrity shows that investors can rest assured that their financial system remains confident and consumers remain protected.