The US Securities and Exchange Commission (SEC) has voted to adopt new cybersecurity rules for publicly traded companies. The aim of these rules is to enhance transparency and prompt disclosure of cyber incidents that could have a material impact on investors. Companies will be required to report any cyber incident within four days of identifying its potential material effect on investors, with the exception of cases where national security concerns may arise. In addition, companies will need to provide periodic reports on their efforts to identify and manage cyber threats.
The adoption of these rules has been praised by industry experts for bringing more transparency to the growing risk of cybersecurity. Lesley Ritter, Senior Vice President for Moody’s Investors Service, sees the rules as a positive move towards improving cyber defenses and addressing the challenges faced by companies with elevated cyber risk. However, Ritter also acknowledges that smaller companies with limited resources may find it challenging to meet the new disclosure standards.
One crucial aspect of the new rules that has been somewhat overlooked is the requirement for annual attestation, according to Chris Denbigh-White, CISO of data protection firm Next DLP. This annual reporting on an organization’s information security context, requirements, objectives, and scope is similar to the principles found in the ISO-27001 framework for information security management. Denbigh-White believes that this requirement will compel organizations to reevaluate their approach to cyber risk management and ensure a continuous focus on addressing cyber risk at all levels within the organization.
Saket Modi, CEO of Safe Security, highlights the urgency with which organizations are working to comply with the new rules. The emphasis on reporting material hacks within four days poses a challenge for companies that struggle to determine what constitutes materiality. Modi argues that organizations must focus on protecting systems that pose the most significant material risk to the business and make cyber investments aimed at reducing the likelihood of such breaches. Determining materiality requires translating cyber risk into tangible business risk.
While the new rules are seen as a step towards greater transparency, some uncertainties remain. Mike Britton, CISO of Abnormal Security, highlights the potential limitations of the rules when it comes to accurately reporting security incidents. Organizations often discover breaches long after an attacker has gained unauthorized access, making the four-day reporting timeline unrealistic in many cases. Additionally, the definition of material impact remains somewhat arbitrary, which may lead to underreporting of breaches. Britton suggests that the bar for reporting breaches should be lowered to ensure transparency.
James Turgal, VP of cyber risk, strategy, and board relations at Optiv and a former FBI agent, believes that the new rules will incentivize more information sharing and improve decision-making and response time for both industry stakeholders and law enforcement. Turgal also notes that the rules elevate the role of corporate boards in cybersecurity and risk management, emphasizing the need for company-wide involvement in cyber resilience.
Scott Kannry, CEO and Co-Founder of Axio, stresses the importance of preparation for companies to effectively comply with the new rules. CEOs and boards of directors need to understand cybersecurity risk and provide appropriate oversight and governance. Security leaders must model the potential impact of threats and determine mitigating actions. And all key stakeholders need to have clear lines of communication and response plans in place.
In summary, the SEC’s adoption of new cybersecurity rules for publicly traded companies aims to improve transparency and ensure prompt disclosure of cyber incidents that could impact investors. While the rules are generally seen as positive for enhancing cyber defenses, challenges remain in determining materiality and accurately reporting breaches. However, the rules also provide an opportunity for companies to reevaluate their approach to cyber risk management and involve all levels of the organization in cybersecurity efforts. Ultimately, the success of these rules will depend on how effectively companies prepare and comply with the new requirements.