Will The SEC’s New Cybersecurity Initiative Help Businesses Or Create More Challenges?

Bing!

Your phone just buzzed. You have a new notification.

You pick up your phone to see a news article about a major publicly traded company that suffered a major cyberattack! #whoops

You read the article and see it’s about an incident that happened months ago!

“Where were the reporters back then”, you think.

“Is this why the company delayed the launch of its new and highly anticipated product?”

“It’s not fair that companies don’t have to divulge such important information, especially when they’re publicly traded!”

Well, that’s about to change, as the US Securities and Exchange Commission (SEC) has announced a new rule where publicly listed companies must disclose cyber-attacks within 4 days!

Let’s explore.
 

What Do The New Rules Entail?

 

• The new SEC rules state that publicly traded companies must disclose any cyber-attack they faced within four days after the attack being determined as a “material incident”.

• Material incidents consist of events that public company’s shareholders would consider important while making investment decisions.

• The new set of rules also requires foreign private issuers to disclose cybersecurity breaches of equivalent nature.

• Any such incident must be disclosed by listed companies using 8-K Forms and must include details or information about the cyberattack. (8-K forms are used to notify the SEC and shareholders of major events or significant changes in a listed company that shareholders may find important and are also filed within 4 business days.)

What Information Do The New Rules Require Companies To Disclose?

 

• Details to be disclosed (provided they’re available at the time of filing Form 8-K) include:
  • The date of discovery.
  • Status of the incident (ongoing/resolved).
  • A description of the incident’s nature.
  • The extent of affected data.
  • The impact on the company’s operation.
  • Remediation efforts.

• However, companies needn’t provide information regarding the technical specifics of their remediation efforts or potential vulnerabilities that could affect these efforts.

What Are The Important Timelines And Dates To Remember?

 

• While the standard filing time for 8-K Forms is within 4 business days, under certain circumstances the disclosure timeline can be pushed back if the US Attorney General believes disclosing could pose national security or public safety issues.

• Furthermore, smaller companies will get an additional 180 days before having to disclose.

• Reportedly, the new set of rules is scheduled to come into effect in December or 30 days after being published in the Federal Register.

• Plans surrounding these rules were initially revealed by the SEC in March 2022.

   

What Did The SEC And Its Experts Say About This Move?

 

• Gary Gensler, SEC Chair said, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

• According to Lesley Ritter of Moody’s Investors Service, "The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability."

• Ritter believes not all will be eased with this move, adding, that "increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources."

• Meanwhile, another report suggests some companies are angry at the new rules and feel micromanaged.

 
This move certainly emphasizes the importance of cybersecurity and reiterates the vitality of Security Information and Event Management and related tools. Check out our list of the top SIEM tools of 2023!

What do you think of the new rule issued by the SEC? Do you think it will benefit businesses or micro-manage them? Let us know in the comments below!