Concerns raised over SEC’s new cyber incident disclosure rules helping hackers
The US Securities and Exchange Commission (SEC) announced on Wednesday that it has adopted new cybersecurity incident disclosure rules for public companies, but there is some concern that the new rules might actually be helping hackers.
The goal of the new rules is “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents”.
Publicly traded companies will be required to disclose, through a Form 8-K filing, any material cybersecurity breach within four business days, unless otherwise instructed by the US attorney general due to substantial risk to national security or public safety.
The SEC filing must describe the incident’s nature, timing, scope and material impact (or likely material impact). It’s worth noting that the timer for the four days starts the moment the victim determines that an incident is material.
Companies will also have to regularly provide information on their processes for identifying, assessing and managing risks associated with cyber threats, as well as on material impact from threats and previous incidents.
Information on the board of directors’ oversight of cybersecurity risks and management’s expertise and role in managing cybersecurity-related material risks will also need to be provided.
The Form 8-K disclosures will be required starting 90 days after the publication of the rules in the Federal Register or December 18, 2023. Smaller companies have been given an additional 180 days.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
While some have applauded the SEC’s efforts to ramp up expectations for companies, others are not happy with the new rules.
The rules passed by a 3-2 vote and one of those who voted against it is SEC commissioner Hester Peirce, who raised concerns that the requirements will harm investors due to the additional costs associated with the disclosure process.
In addition, Peirce pointed out that the disclosure requirements could actually help cybercriminals.
“The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them. The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get),” Peirce said.
“The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack. The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe,” Peirce added.
It’s worth noting that these concerns are mentioned in the SEC’s document, but the risk is described as “justified by investors’ need for timely information”.
Related: How to Prepare for New SEC Cybersecurity Disclosure Requirements
Related: Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
Related: Fulfilling Expected SEC Requirements for Cybersecurity Expertise at Board Level
