New SEC Rules for Cyber Attack Disclosure
The U.S. Securities and Exchange Commission (SEC) has approved new rules that mandate publicly traded companies to disclose details of a cyber attack within four days of identifying a “material” impact on their finances. This marks a significant shift in the disclosure of computer breaches, aligning cybersecurity with other critical investor information.
Material Impact and Investor Protection
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC chair Gary Gensler. The new obligations require companies to reveal the nature, scope, and timing of the incident, as well as its impact. However, this disclosure may be delayed by up to 60 days if it is determined that such specifics would pose a substantial risk to national security or public safety.
Cybersecurity Risk Management and Remediation Efforts
The rules also necessitate companies to describe annually the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats. They are required to detail the material effects or risks arising from these events and share information about ongoing or completed remediation efforts.
Expert Opinions on the New Rules
Richard Suls, a Security & Risk Management Consultant at WithSecure, believes that the SEC’s decision is a significant step in the right direction. He suggests that the mandatory disclosure of cyber attacks within a specific timeframe will enhance transparency and accountability, preventing the manipulation of financial data and the withholding of crucial information that could impact investors’ decisions.
Paul Brucciani, a Cyber Security Advisor at WithSecure, emphasizes the challenges that companies might face in implementing this rule. He argues that four days may not always be sufficient to fully understand the scope and impact of a sophisticated cyber attack. He suggests that the SEC should consider providing guidelines on what initial information needs to be disclosed within the 4-day period, while allowing companies to provide updates and supplementary details as they become available.
The Global Perspective on Cyber Attack Reporting
The new SEC requirement for organizations to report cyber attacks or incidents within four days is more lenient compared to other countries. In the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In countries like China and Singapore, it’s 24 hours, and India requires reporting the breach within six hours.
The SEC’s decision to enforce prompt and transparent disclosure of cyber attacks is a commendable effort to bolster cybersecurity practices and safeguard the interests of investors. By embracing this new rule, companies will be compelled to take cyber threats more seriously and prioritize the protection of their sensitive data and financial assets. As security researchers, we welcome this initiative and hope that it will foster a culture of proactive cybersecurity and information sharing within the corporate landscape.