New SEC Rules for Cyber Attack Disclosure
The U.S. Securities and Exchange Commission (SEC) has approved new rules that mandate publicly traded companies to disclose details of a cyber attack within four days of identifying a “material” impact on their finances. This marks a significant shift in the disclosure of computer breaches, aligning cybersecurity with other critical investor information.
Material Impact and Investor Protection
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC chair Gary Gensler. The new obligations require companies to reveal the nature, scope, and timing of the incident, as well as its impact. However, this disclosure may be delayed by up to 60 days if it is determined that such specifics would pose a substantial risk to national security or public safety.
Cybersecurity Risk Management and Remediation Efforts
The rules also necessitate companies to describe annually the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats. They are required to detail the material effects or risks arising from these events and share information about ongoing or completed remediation efforts.
Expert Opinions on the New Rules
Richard Suls, a Security & Risk Management Consultant at WithSecure, believes that the SEC’s decision is a significant step in the right direction. He suggests that the mandatory disclosure of cyber attacks within a specific timeframe will enhance transparency and accountability, preventing the manipulation of financial data and the withholding of crucial information that could impact investors’ decisions.
Paul Brucciani, a Cyber Security Advisor at WithSecure, emphasizes the challenges that companies might face in implementing this rule. He argues that four days may not always be sufficient to fully understand the scope and impact of a sophisticated cyber attack. He suggests that the SEC should consider providing guidelines on what initial information needs to be disclosed within the 4-day period, while allowing companies to provide updates and supplementary details as they become available.
The Global Perspective on Cyber Attack Reporting
The new SEC requirement for organizations to report cyber attacks or incidents within four days is more lenient compared to other countries. In the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In countries like China and Singapore, it’s 24 hours, and India requires reporting the breach within six hours.
Conclusion
The SEC’s decision to enforce prompt and transparent disclosure of cyber attacks is a commendable effort to bolster cybersecurity practices and safeguard the interests of investors. By embracing this new rule, companies will be compelled to take cyber threats more seriously and prioritize the protection of their sensitive data and financial assets. As security researchers, we welcome this initiative and hope that it will foster a culture of proactive cybersecurity and information sharing within the corporate landscape.
“These new regulations should dramatically change the way companies report breaches since they are now mandatory requirements. BlackFog has tracked the ratio of reported to unreported ransomware since January of 2023 and has typically seen a 10:1 ration of unreported to reported attacks. We hope to see this drop dramatically with these mandatory reporting rules. Data exfiltration is the preferred tactic of virtually all ransomware today (89%) and something that nearly all companies have overlooked. Consequently, attacks are now at an all-time high and organisations have not kept pace with new methods to prevent these attacks. We hope these rules stop the general trend in trying to hide any attacks for fear of retribution as well as stop ransomware payments to cybercriminals in the process.”