Securities and Exchange Commission (SEC) of United States has recently given its approval to groundbreaking regulations. These regulations oblige publicly traded companies to promptly disclose any significant cyberattacks within a maximum of four days of detection. This marks a significant departure from the previous method of disclosing computer breaches.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC chair Gary Gensler said. Public companies now offer cybersecurity disclosure to investors in great numbers. Making this disclosure in a consistent, comparable, and decision-useful manner would greatly benefit both companies and investors.
In order to achieve this goal, the new requirements oblige companies to disclose not only the nature, scope, and timing of the iPlease simplify the text below, while retaining its main idea.
“Please provide a detailed report not only describing the incident, but also explaining its impact.” Disclosure may be delayed by up to 60 days if it is determined that providing specific information would endanger national security or public safety.
Registrants must provide an annual description of the methods and strategies used to assess, identify, and manage material risks from cybersecurity threats. They must also report on the material effects or risks resulting from these events, and provide information on ongoing or completed remediation efforts.
“The key word here is ‘material’ and being able to determine what that actually means,” Safe Security CEO Saket Modi told The Hacker News. “Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels.”
The rules do not cover specific technical information about the registrant’s planned response to the incident, their cybersecurity systems, related networks and devices, or potential system vulnerabilities that could hinder their response or fixing of the incident.
Proposed in March 2022, this policy aims to enhance transparency regarding the threats that American companies encounter from cybercrime and nation-state actors. Its objectives include closing gaps in cybersecurity defense and disclosure practices, as well as strengthening systems against data theft and intrusions.
Kroll reports that Cl0p, a ransomware gang, has been on a cyber attack rampage, targeting over 500 companies. These attacks have been possible due to the gang’s exploitation of critical vulnerabilities in commonly used enterprise software. Furthermore, Kroll reveals that the threat actors have adopted innovative data exfiltration techniques, successfully stealing valuable information.
According to Amit Yoran, Tenable’s CEO and Chairman, the recently implemented regulations regarding cyber risk management and incident disclosure are not just accurate, but also represent a significant leap towards achieving enhanced transparency and accountability.
Yoran stressed the need to inform investors about an organization’s efforts in managing cyber risks. This is crucial because cyber breaches can have serious consequences and damage the organization’s reputation.
However, some people have expressed concerns about the tight timeframe, as it could potentially lead to inaccurate disclosures. This is because companies may need several weeks or even months to thoroughly investigate a breach. Furthermore, issuing breach notifications prematurely can potentially alert other malicious individuals to a vulnerable target and intensify security threats.
James McQuiggan, security awareness advocate at KnowBe4, acknowledged that the new SEC requirement of reporting cyber attacks or incidents within four days may appear aggressive at first glance. However, he pointed out that compared to other countries, this timeframe is actually more lenient.
“Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours.”
“Organizations should have clear and documented incident response plans that include communication plans, procedures, and requirements for involving relevant personnel,” explained McQuiggan.