The US Securities and Exchange Commission (SEC) recently implemented new cybersecurity rules for publicly traded companies, sparking a response from government and industry experts. Under these rules, covered firms are now required to report details about “material” cyberattacks within four days of the event, including the nature, scope, and timing of the incident, as well as its impact on the company. While some experts believe that this requirement will enhance transparency and help stakeholders make more informed decisions, others are concerned about the broad definition of “material” and the potential difficulties associated with assessing the full impact of a breach within the first few days.
According to cybercrime researcher Graham Cluley, many firms may not be pleased with the new disclosure requirement, as the term “material” can be broadly interpreted. Additionally, assessing the full impact of a breach within a short timeframe can be challenging. Underestimating the scope of a breach may result in the need for a corrected assessment later, while overestimating it could have irreversible consequences. However, Cluley concedes that the new rules do promote consistency, comparability, and decision-usefulness in disclosing breaches.
The SEC’s new rules also include a change regarding the disclosure of board member expertise in cybersecurity. Previously, the regulations required companies to disclose if any board directors had significant knowledge of cybersecurity. However, this requirement received pushback from organizations and the National Association of Corporate Directors (NACD) who argued that cybersecurity knowledge should reside in management rather than the board. NACD president and chief executive Peter Gleason expressed gratitude that this requirement was dropped, as it would have placed an undue burden on boards and risk management should remain the responsibility of management.
Industry experts have responded to the new rules with a range of views. Darren Williams, CEO and founder of BlackFog, believes that the mandatory reporting rules will lead to a significant shift in how companies report breaches. Williams notes that currently, a large number of ransomware attacks go unreported, but he hopes that these new regulations will decrease the ratio of unreported to reported attacks and deter organizations from hiding breaches or making ransomware payments.
Ronen Slavin, co-founder and CTO of Cycode, welcomes the new rules as a step towards protecting investors and financial markets from cybersecurity breaches. He believes that the requirement for companies to disclose breaches faster will enable other companies to learn and take steps to protect themselves, as well as improve their own cybersecurity posture. Slavin argues that this change will make the financial markets more resilient to future attacks.
Reed Loden, VP of Security at Teleport, agrees that the SEC’s new regulations are long overdue and highlight the need for companies to quickly disclose cybersecurity incidents. Loden hopes that the rules will encourage organizations to be more open and transparent about their incidents, as sharing information can help other organizations address their own security issues. However, Loden also raises concerns about the definition of “materiality” and wonders how forcefully the SEC will enforce the rules if companies fail to disclose serious security incidents.
Christopher Prewitt, CTO of Inversion6, views the SEC’s action as necessary to bring attention to the criticality of cyberattacks on companies. Prewitt emphasizes the increasing dependence on IT in business processes and believes that the new regulations will prompt organizations to prioritize cybersecurity and improve their risk management strategies. He suggests that fines for non-compliance with the reporting timeline should accompany the regulations.
Ani Chaudhuri, CEO of Dasera, praises the SEC’s new rules as a significant step towards transparency in a world where cybersecurity incidents are becoming more common. Chaudhuri argues that timely and comprehensive disclosure of such incidents is crucial, as digital assets are increasingly critical to businesses. Material incidents are those that have a significant impact on a company’s financials, operations, or reputation, which shareholders consider when making investment decisions. Chaudhuri emphasizes that cybersecurity should be a concern for everyone, not just IT professionals.
While the SEC’s approach is commendable, there are challenges associated with the new rules. The reporting timeline may be tight for complex incidents, and the determination of materiality requires careful consideration. However, experts hope that the regulations will foster transparency, enhance cybersecurity practices, and make the financial markets more resilient to future attacks.