SEC now requires companies to disclose cyberattacks in 4 days

In a move that I think is long overdue, The Security And Exchange Commission is requiring public companies to disclose cyberattacks in four days:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Craig Burland, CISO, Inversion6 had this comment:

The SEC continues to ramp up expectations for publicly traded companies. The four-day disclosure, however, is not the kicker here. Companies have two subjective decisions before being forced to disclose. First, they have to determine the cyber event was an incident – data was lost, business was disrupted, etc.  Finding sufficient evidence to prove loss takes time. Second, the impact has to be material. For large corporations, this is a high bar that very few incidents would eclipse. 

he real toll of this decision is the one not getting the headlines.  It’s part two of the requirements: the SEC wants companies to “disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” Implicit in this decision is that companies have a cybersecurity risk strategy and perform cyber governance. All too often, that’s not the case. A requirement to publicly disclose the practiced level of cyber-competence will open eyes and raise eyebrows across the country.

While not perfect, this is a great move by the SEC as I think it would force companies to invest in cybersecurity because they would face significant blowback in the form of lower stock values and the like if they were forced to disclose that they were pwned within a 4 day window. Not to mention having to disclose where they are in terms of cybersecurity. Perhaps this will be the start of companies finally getting their act together?

UPDATE: I just got a comment on this from Ani Chaudhuri, CEO, Dasera:

The new rules implemented by the SEC are a notable stride towards transparency in a world where cybersecurity incidents are increasingly common. With digital assets becoming increasingly critical to businesses, timely and comprehensive disclosure of such incidents to shareholders is pivotal.

Material incidents are those that have a significant impact on a company’s financials, operations, or reputation – elements which shareholders would indeed consider crucial in making an investment decision. The same principles apply whether we’re talking about a physical asset like a factory, or digital data. Cybersecurity is no longer a domain exclusive to IT professionals; it’s a concern for everyone.

While the SEC’s approach is admirable, it does bring a set of new challenges to the table. The reporting timeline may indeed seem tight, especially for complex incidents where an understanding of the scope and impact may take longer than four days. Given the technical and complex nature of cyber incidents, it’s important to strike a balance between providing timely information and ensuring that information is accurate and complete.

The additional 180 days granted to smaller companies is also a thoughtful concession, acknowledging that not all entities have the same resources to manage and report cyber incidents.

However, it is the clause about the potential postponement of disclosure in instances where it might pose a significant risk to national security or public safety that can be more contentious. While the intent is certainly valid, the execution must be handled carefully. Defining ‘significant risk’ might be a potential gray area, and companies should not misuse it as a loophole to delay disclosure.

Furthermore, while the rules require companies to provide a concise description of the incident, its impact, and the data compromised, they do not require companies to disclose specifics of their incident response plans or details about potential vulnerabilities. In this sense, the rules are a missed opportunity to push companies towards better preparedness and proactive planning. The more information available, the more we can learn and improve our defenses.

Lastly, let’s not forget that this rule is reactive. Disclosing an incident after it has happened does not prevent the incident in the first place. The real need of the hour is to invest more resources in proactive measures that would make our systems more resilient and reduce the chances of such incidents happening in the first place.

The SEC’s new rules are a positive step towards more transparency in handling cybersecurity incidents. Still, valid concerns and potential challenges must be addressed in implementing these rules. As we continue to rely more heavily on digital assets, the onus is on us to evolve our approach towards cybersecurity, making it a key part of strategic decision-making.

UPDATE #2: Another comment has come in from Christopher Prewitt, CTO, Inversion6:

After years of rumor and innuendo, it’s great to see the SEC act, requiring disclosure. This may force some needed attention on the criticality of cyberattacks on companies. More and more organizations fully depend on IT to perform almost every business process, and the interconnected nature of business in 2023, it can sometimes feel like a house of cards seeing the impact of an event.

It would be expected that there will be associated fines for those who don’t meet the 4 day window. The other requirement of disclosing on an annual basis material information regarding cybersecurity risk management, I believe, is an even more important action. This will likely bring the cyber security program to the table in the board room in a more effective manner.

Leave a Reply

%d bloggers like this: