The Securities and Exchange Commission (SEC) recently announced new cybersecurity rules that aim to promote transparency for breaches and attacks. The rules require public companies to report cyber attacks within four business days on Form 8-K filings. While the new rules have been praised for increasing transparency and improving cyber hygiene, there are concerns about the potential negative consequences and lack of clarity.
Infosec experts have expressed mixed opinions about the new rules. Some believe that the reporting requirements will enhance cyber hygiene and provide a baseline of expectations and requirements for companies. Others, however, are concerned about the lack of clarity and ambiguity in the rules. Tara Wisniewski, executive vice president of global markets and member engagement at cybersecurity nonprofit ISC2, believes that the rules create more questions than answers. There are no concrete definitions for terms such as “cyber incidents” and “materiality,” making it difficult for companies to determine what needs to be disclosed.
One area of concern is the definition of “materiality” in relation to cyber attacks. Nick DeLena, cybersecurity and privacy advisory partner at accounting firm PFK O’Connor Davies, acknowledges that the SEC’s definition is vague, but suggests that it comes down to whether a reasonable investor would view the information as important in determining whether to buy the company’s stock. The new rules give companies four business days to disclose a breach that is deemed “material” to the SEC, allowing them time to detect, respond, recover, and analyze the breach before making a public disclosure.
Transparency is a key issue in the cybersecurity industry, particularly when it comes to reporting ransomware attacks. Many companies only report breaches after being added to a ransomware group’s public data leak site, which is used to pressure victim organizations into paying. The new SEC rules aim to address this by requiring companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies will also have to disclose the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks.
Amit Yoran, CEO of Tenable, believes that the new rules will lead to greater transparency and accountability. He argues that when cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization’s cyber risk management activities. Yoran sees the rules as a step toward improving cybersecurity preparedness as a nation.
However, some experts have raised concerns about whether the rules will give an advantage to attackers. Christopher Budd, director of threat research at Sophos, points out that incidents and investigations take time, so organizations may not have the full story after four days and will need to provide ongoing updates. There is also the fear that disclosing a cyber incident before it has been contained or mitigated could benefit the attacker. Harley Geiger, counsel for Venable LLP, suggested that the SEC provide an exemption to the reporting requirements to allow companies to delay public disclosure if certain conditions are met.
The SEC has addressed this concern by stating that a disclosure may be delayed if it poses a substantial risk to national security or public safety, as determined by the U.S. Attorney General. While this exemption is seen as a positive step, there are still concerns about the lack of specific guidelines on how these allowances will be considered.
Overall, the new cybersecurity rules adopted by the SEC have the potential to promote transparency and improve cyber hygiene. However, more time and practical experience are needed to fully assess the consequences, both positive and negative. The lack of clarity and ambiguity in the rules remain a concern for cybersecurity professionals, who are already grappling with the challenges of an ever-evolving threat landscape.