View from the roof showing SEC rules on incident disclosure for cybersecurity breaches

New SEC Rules Require Incident Disclosure for Cybersecurity Breaches Within Four Days

New rules voted in by the Securities and Exchange Commission (SEC) last week require all publicly traded companies to report any cybersecurity breaches that could cause a material impact within four days. However, there are some caveats that can delay the incident disclosure; the timer doesn’t start until the company determines that the breach could be material, and there are also exceptions for breach disclosures that might cause a “substantial risk” to public safety or national security.

In addition to the new incident disclosure requirements, the rules stipulate that these companies must also file a new annual report detailing their efforts to identify and deter material cybersecurity breaches. Foreign private issuers are also subject to these new rules.

SEC: Cybersecurity breaches must be better documented going forward

The new requirements for reporting cybersecurity breaches take effect 30 days from publication, meaning the end of August, though “smaller” reporting companies are being given an added grace period of 180 days to be held to the new Form 8-K incident disclosure requirements. The new annual reporting requirements come into effect for fiscal years that end on or after December 15 of this year.

Craig Burland, CISO of Inversion6, believes that the second requirement will end up being more significant than the first: “The real toll of this decision is the one not getting the headlines.  It’s part two of the requirements: the SEC wants companies to “disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

Implicit in this decision is that companies have a cybersecurity risk strategy and perform cyber governance. All too often, that’s not the case. A requirement to publicly disclose the practiced level of cyber-competence will open eyes and raise eyebrows across the country.”

SEC Chair Gary Gensler compares the potential material damage done by cybersecurity breaches to that of a fire that destroys physical records, not really a case of hyperbole given the soaring cost of ransomware and data extortion incidents. Changes to the rules have been in the works since 2022, when the SEC took the position that investors had a right to be promptly informed of possible financial damage given that companies in many different industries had made such a major shift to remote work and cloud-based services in recent years.

The move comes amidst a small wave of regulatory bodies exercising their own existing powers to push private companies on cybersecurity, even as federal elements like a data protection law and even reporting requirements for cybersecurity breaches remain out of reach. But to date this has mostly been targeted at critical infrastructure companies by the specific agencies that regulate them.

The new rules did pass the SEC vote, but only just barely at 3-2. One of the primary concerns was the disproportionate impact that the incident disclosure requirements could have on small businesses. According to an IBM study conducted in 2022, it still takes the average company about 277 days to identify and report cybersecurity breaches. Even major companies with a strong focus on cybersecurity, like Microsoft, have been breached for months before noticing and properly assessing the damage.

Melissa Bischoping, Director, Endpoint Security Research at Tanium, elaborates on the case against the shortened breach reporting window: “It is the right thing for organizations to disclose breaches, but at face value, forcing a rapid public disclosure is a bad idea. It will result in reactive market behavior, erosion of trust, and confusion, and in some cases it may even give insight to the attacker on your visibility. Showing your hand that you know the attacker is in the environment too early may cause them to change their TTPs and evasion strategy mid operation, making it more challenging to get evidence and ensure you’ve fully remediated.  Any compliance-driven early disclosure requirements must come with careful review and consideration of the cost to the critical incident response process.”

There was something of a bipartisan political bent to the outcome, as the Commissioners are split 3-2 along party lines in favor of Democrats, and so was the vote. Republican commissioner Hester Peirce made a dissenting statement summarizing small business and other concerns, such as the possibility that the SEC is overstepping its legal authority with the decision and that it might aid hackers in mandating a predictable response to cybersecurity breaches and disrupting containment and mitigation measures. Peirce also opined that the new incident disclosure rules might harm investors by adding substantial cost to the process, noting that the Commission “lacked data” to quantify exactly what these added costs would be.

Democrat Commissioners in favor of the new rules acknowledged that these concerns were valid, but felt that they were overshadowed by the need for investors to have timely information about cybersecurity breaches. Saket Modi, CEO and Co-Founder of Safe Security, notes that the wording of the new incident disclosure rules could wind up being in legal question: “Organizations are in a mad dash to meet these newly adopted SEC Cyber Rules, which have identified a 4-day disclosure process for companies on ‘material’ hacks. The key word here is ‘material’ and being able to determine what that actually means. Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels. The game needs to change to focus on protecting systems that pose the biggest material risk to business and making cyber investments that will reduce the likelihood of material risk breaches. This means businesses will have to translate bits and bytes of cyber risk into dollars and cents of ‘material’ business risk.”

More attention paid to incident disclosures as slow and inaccurate notifications raise ire

The Securities Industry and Financial Markets Association (SIFMA), an industry lobbying group, issued a statement claiming that the new rules require incident disclosure at a time that is “premature” and could cause unnecessary damage to a company that is still assessing and mitigating the fallout of cybersecurity breaches. But the pendulum has tended to swing the other way with numerous major incidents as of late, with disclosures coming well after the fact and follow-on revisions coming much later that indicate things were much worse than initially appraised.

There is some legitimate concern that such a tight time window for incident disclosures could lead to inaccurate initial reporting, though it is also fair to note that many other technologically advanced nations now have reporting requirements for cybersecurity breaches that are as short as 24 hours. Some companies that are impacted by this change are already under even stricter requirements; those that work in critical infrastructure are facing a three-day reporting requirement mandated by the Cybersecurity and Infrastructure Security Agency (CISA).

Avishai Avivi, CISO at SafeBreach, expands on potential conflicts of this nature: “Often, various regulatory frameworks have different and, occasionally, conflicting requirements. For example, in the event of a breach of personally identifiable information (PII), each state has different notification thresholds and requirements. The new SEC ruling will require that publicly traded companies notify investors on 8-K forms within 4 days following the determination of material impact. These new regulations are an important step toward creating a more consistent and efficient notification timeframe. Additionally, another new rule put forth by the SEC will require businesses to describe methods and strategies used, if any, in managing cyber risk annually. This will add a layer of accountability for the publicly traded companies affected by these new rules and streamlining new and existing regulations will aid companies with compliance. In the pursuit of compliance, it is also important for companies such as these to implement a proactive security program that continuously validates for security control efficacy.”

Oz Alashe, CEO of CybSafe, sees more work ahead of the SEC in this area:”Following the implementation of these rules, the SEC will need to walk a fine line between ensuring compliance and supporting organizations in driving the improvement of specific security behaviors within the workforce. While rules such as these are necessary to move the needle on important issues, ultimately, they must be a catalyst to drive positive and meaningful behavioral change. People want to be part of the solution, and hopefully, these interventions will encourage organizations to help them.”