The U.S. Securities and Exchange Commission (SEC) has adopted new rules that require publicly traded companies to disclose cyberattacks within four business days after determining that they are material incidents. Significantly, this is within four days of determining an incident is materially impacting, and not within four days of discovering a cyberattack.
Material incidents are defined as those that a public company’s shareholders would consider important “in making an investment decision.”
“Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors,” said Gary Gensler, the SEC’s chair, in a virtual meeting of the agency’s commissioners, reported by The Wall Street Journal.
Companies are only permitted to delay the disclosure of a cyberattack if the U.S. Attorney General determines that an immediate disclosure could pose a significant risk to national security or public safety.
New SEC Guidelines aim for more cybersecurity transparency
The new guidelines are designed to improve the timeliness and transparency of cybersecurity disclosures. They also require companies to provide more detailed information about cyberattacks, such as the nature of the incident, the scope of the impact, and the steps that the company has taken to mitigate the damage. These details are to be included in periodic report filings, specifically on 8-K forms.
The new rules take effect in December 2023. Companies that fail to comply with the rules could be subject to enforcement actions by the SEC.
Required SEC cyberattack disclosure information
The SEC is requiring companies to comply with the new regulations to include at minimum the following breach-related details in an official 8-K report:
- The date of discovery and status of the incident (ongoing or resolved).
- A concise description of the incident’s nature and extent.
- Any data that may have been compromised, altered, accessed, or used without authorization.
- The impact of the incident on the company’s operations.
- Information about ongoing or completed remediation efforts by the company.
Companies will need to describe the processes by which they identify material cybersecurity risks in their annual reports. Federal compliance deadlines mean that companies must start doing this by December 15, and must start reporting incidents from December 18.
Will the new SEC cyberattack regulations be effective?
The new rules are a welcome development for investors, who need timely and accurate information about cybersecurity risks in order to make informed investment decisions. The rules will also help to improve the overall cybersecurity posture of public companies, as they will be forced to take steps to identify and mitigate cybersecurity risks.
But, skepticism remains about the overall SEC announcement. The SEC states that only a cyberattack “materially” impacting an organization or investors is the key requirement to disclosure.
How an organization chooses to define or spin a cybersecurity incident as non-material to avoid disclosure is yet to be seen, but inevitably will occur.
Could new SEC requirements actually help hackers?
The very definition of “cyberattack” has been disputed for well over a decade by cybersecurity experts and governments alike.
Is a distributed denial of service attack against a company website a “material” cyberattack incident requiring disclosure? Most would argue this is on the low end of the spectrum for cybersecurity risk or requiring disclosure. Other examples, such as nation-state cyber espionage or data exfiltration of intellectual property are easier to label as materially impacting a business and its investors.
Finally, if a company is forced to disclose the financial impact of a cybersecurity incident, this provides cyber threat actors valuable information about how damaging their attack was. It could also fuel more ransomware attacks as ransomware gangs have additional context for how costly their attacks are if no bounty is paid.
Still, the timeline of requiring disclosure—within four days of determining a cyberattack is materially impacting—not the origin of the cyberattack—leaves a lot of grey areas for organizations to maneuver within to dodge potentially inconvenient disclosures.
This article has been updated on July 31, 2023 to include additional disclosure details and improved clarity.
