SEC Proposal Would Impose Stricter Timeline for Public Companies Reporting Cyberattacks

A U.S. Securities and Exchange Commission (SEC) proposal would require public companies to report data breaches and other cybersecurity incidents within four days of discovery.

According to newly proposed amendments to existing rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures and the measures taken to identify and manage cybersecurity risks. The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

Gary Gensler is SEC chair.

SEC’s Gary Gensler

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” he said. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner.”

Not All Cyberattacks are Equal

Joseph Carson is chief security scientist and advisory CISO at Delinea. He said the SEC proposal reinforces the importance of being incident response ready. It also emphasizes a solid backup and recovery strategy.

Delinea’s Joseph Carson

“The proposals, however, appear to treat data breaches and cybersecurity incidents all equally rather than as risk-based, which is a big surprise,” he said. “We know that the impact and severity of data breaches and cybersecurity incidents can vary significantly depending on the scale and type of data impacted. Organizations are really going to need to ramp up their incident response plans to be incident response ready as many organizations even after four days of discovering a data breach are still trying to identify the impact. So reporting an incident at the same time will require quick incident response capabilities.”

Post-incident response and reporting are critically important, Carson said. And when security controls fail to prevent attacks, businesses must look to the incident response and recovery capabilities to get the business back and running.

“In addition to incident response, a strong backup strategy that reduces risks from ransomware combined with a solid privileged access security solution and use of multifactor authentication (MFA) wherever and whenever possible will make it more difficult for attackers to be successful in the future,” he said.

Good Move by SEC

Ray Kelly is fellow at NTT Application Security. He said the SEC proposal is a good move to standardize breach reporting and procedures for publicly traded companies and hold them accountable.

WhiteHat Security’s Ray Kelly

“The current policies – which do not specify a timeframe to report cybersecurity incidents to the public – have essentially allowed companies to disclose this critical information on their own merit, which could affect stock price or mergers and acquisitions,” he said.

Casey Ellis is Bugcrowd‘s founder and CTO. He said the SEC proposal is …

… a “significant development.”

Bugcrowd’s Casey Ellis

“The SEC is recognizing and emphasizing the direct impact a company’s cybersecurity posture can have on its value,” he said. “More importantly, the recommendation refocuses their advice on addressing breaches as a when, not if matter, promoting transparency rather than avoidance. In many ways, this reflects what we’ve seen from firms and organizations who have made vulnerability disclosure and transparency a standard, and are now regarded as the most secure, trustworthy and valuable in the market.”

Fast Isn’t Always Better

Tim Erlin is vice president of strategy at Tripwire. He said the proposed rule fits well into the trend around cybersecurity reporting requirements. However, fast isn’t always better. Furthermore, with cybersecurity, fast is almost never accurate.

Tripwire’s Tim Erlin

“Cybersecurity incidents are complex, and difficult to investigate,” he said. “Getting a complete picture takes time. While the headline may be a 48-hour reporting requirement, the SEC rule also includes an interesting requirement to provide updates ‘if any previously reported information about a significant cybersecurity incident becomes materially inaccurate or if the adviser discovers new material information related to an incident.’ The public disclosure of these additional details as they are uncovered will provide more value to the industry than the initial reporting requirement. Organizations can only learn how to protect themselves from similar attacks if they understand what happened.”

Little May be Known in 4 Days

James McQuiggan is security awareness advocate at KnowBe4. He said while timely reporting of incidents is important, cyber incidents may take a considerable amount of time to review and to determine the impact of the event. Therefore, the reporting criteria and time frame are difficult to mandate in a way that would apply to all events.

KnowBe4’s James McQuiggan

“Even with the provision that the report needs to be filed within four business days after determining that it is a material incident, very little may still be known about the impact of the event at that time,” he said. “While the idea of reporting these under a new section of the 8-K form, care must be taken when considering mandates such as this, with short deadlines.”

A ransomware attack may impact production, triggering the reporting requirement and starting the clock ticking, McQuiggan said. However, in those four days, organizations may not be aware if data was stolen, what type of data may be at risk and other critical factors that may impact the severity of the event.

Companies could provide guesses and incorrect information, he said. That could prove more harmful than waiting a little longer to determine the actual impact.