The US Securities and Exchange Commission (SEC) has adopted new cybersecurity incident disclosure rules for public companies, but there is concern that the new rules could actually be helping cybercriminals.
Publicly traded companies will be required to disclose security breaches that have a material impact within four business days, and regularly provide information on their risk management processes and practices.
While some have applauded the SEC’s initiative, others are concerned that the disclosure requirements could actually help cybercriminals by providing them with information that they could leverage for hacking and extortion.
Industry professionals have commented on various aspects of the new disclosure rules, including benefits, potential problems, and challenges for affected organizations.
Gareth Lindahl-Wise, CISO, Ontinue:
“It is unlikely that a competent attacker will learn much from a control and ‘next steps’ perspective from the proposed filings of the impacted company that they don’t already know. It might lead those less skilled in reconnaissance to what has worked or might work – though we would hope the company would have made steps to mitigate those risks by then.
What is more likely is the ability to learn (or at least infer) what impact the attack is having. This may stretch out the timelines for the extortion attacks we are used to (such as ransomware, DDoS or data disclosure threats) as the disclosures need to advise on the materiality of the attack. This would be like playing poker and the other guy having to show you their cards.
The more tangible impact on security may well be the time and focus that this level of reporting will take away from beleaguered security teams, in an environment where market forces drive external validation of posture and numerous other pieces of legislation already require notification of incidents.
Well meant, but very broad and in danger of being counter productive.”
Tom Eston, VP of Consulting and Cosmos, Bishop Fox:
“I think the new rules are a good thing to standardize on breach disclosures because right now it’s up to the company when and if they want to disclose a breach to the public.
As for how this helps attackers? It’s speculative and dependent on the motives of specific attackers, but for ransomware attackers, it could accelerate the pressure and timeline to pay, or widen the ‘publicity’ for the attacker group. As some have said, it also is feasible that the levels of detail in disclosure could also provide attackers with greater target and tactical intelligence.”
Nakul Goenka, Risk Officer, ColorTokens:
“The SEC has approved new cybersecurity rules, which is a significant step in the right direction. These breach disclosure rules will help give CISOs a seat at the table. Companies should start preparing and thinking about their policies, procedures, organizational structure and tool sets immediately.
While the rules do offer flexibility to determine what is considered a ‘material’ incident and hence reportable, we might also see some litigation based on decisions taken by the management teams. It will be interesting to see how these rules are actually implemented and whether the benefits will outweigh the costs and burden.”
Melissa Bischoping, Director, Endpoint Security Research, Tanium:
“During an incident response, your focus is prioritized on the incident – scoping, containing, and ensuring you’ve completely evicted an attacker from the environment. Facts and evidence may rapidly emerge as you work through the incident response process; by requiring early disclosure, you may get incomplete disclosure, or things that require revision once more is discovered. These likely corrections or modifications may erode trust in the initial disclosure.
It is the right thing for organizations to disclose breaches, but at face value, forcing a rapid public dis-closure is a bad idea. It will result in reactive market behavior, erosion of trust, and confusion, and in some cases it may even give insight to the attacker on your visibility. Showing your hand that you know the attacker is in the environment too early may cause them to change their TTPs and evasion strategy mid operation, making it more challenging to get evidence and ensure you’ve fully remediated. Any compliance-driven early disclosure requirements must come with careful review and consideration of the cost to the critical incident response process.”
Jennie Wang VonCannon, partner, Crowell & Moring:
“The long-awaited SEC Cybersecurity Rules were finalized on July 26, 2023, and the results are substantially the same as the proposed version of the rules that were issued in March 2022. The top three takeaways are:
Materiality is the name of the game. Companies must disclose “material cybersecurity incidents” on Item 1.05 (new) of Form 8-K (not new), and disclose “material aspects” of the incident’s nature, scope, timing, and impact on the company. The key issue is what is “material,” and given that this is a new rule, there is not a lot of guidance about it in the cybersecurity context.
However, the Supreme Court has weighed in on what that means for registrants when it comes to financial statements, holding that an error is “material” if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); see also Basic, Inc. v. Levinson, 485 U.S. 224 (1988) (determinations of materiality require “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . . .”) (citing TSC Industries, 426 U.S. at 450).
[…]
Although the SEC Cybersecurity Rules apply only to publicly-traded companies, the promulgation of these rules will have the practical effect of setting the standard for what is reasonable for all companies—public and private alike—when it comes to cybersecurity incident preparedness, response, and disclosure to stakeholders (which include affected customers, shareholders, and government agencies).”
Richard Suls, Security & Risk Management Consultant, WithSecure:
“As a security researcher focused on cybersecurity and the protection of sensitive data, I believe that the SEC’s decision to require publicly traded companies to disclose cyber attacks within 4 days of identifying a “material” impact on their finances is a significant step in the right direction. This rule change represents a major shift in how cyber breaches are handled and disclosed, and it has several potential benefits for both investors and the overall security landscape.
Firstly, the mandatory disclosure of cyber attacks within a specific timeframe will enhance transparency and accountability. By imposing a strict deadline, companies cannot delay or obscure information about cyber incidents, ensuring that investors and stakeholders are promptly informed of potential financial implications resulting from breaches. This will help in preventing the manipulation of financial data and the withholding of crucial information that could impact investors’ decisions.
Secondly, the new rule can act as a strong incentive for companies to invest more resources in cybersecurity measures and incident response capabilities. When faced with the prospect of publicizing a cyber attack and its financial impact, companies are likely to prioritize cybersecurity as a core aspect of their business strategy. This could lead to increased spending on advanced security technologies, threat intelligence, employee training, and proactive risk assessments, ultimately strengthening the overall resilience of the corporate sector against cyber threats.
Moreover, the requirement to disclose “material” impacts can lead to a better understanding of the true financial consequences of cyber attacks. By sharing this information, companies can learn from each other’s experiences, facilitating the development of industry-wide best practices in incident response and mitigation. This collaborative approach can lead to a more robust and adaptive security landscape, making it harder for threat actors to exploit common vulnerabilities across multiple organizations.”
Richard Bird, CSO, Traceable AI:
“Rather than exhibiting the courage and coordination required to create something as crucial as a national data privacy law, once again, agencies like the SEC are pushing for faster breach notifications in the hopes that the American people will think the government is addressing the need for stronger cybersecurity. But breach notices are not security — and never will be.
The SEC proves once again that our federal agencies can only view security with a rearview mirror. Breach notices are an outcome, not a protection. The enormous resistance of our federal government to mandate basic security principles as a requirement for doing business in our nation is inexcusable. It is time for it to treat cybersecurity as a proactive measure rather than an afterthought.”
Darren Williams, CEO, Founder, Blackfog:
“These new regulations should dramatically change the way companies report breaches since they are now mandatory requirements. BlackFog has tracked the ratio of reported to unreported ransomware since January of 2023 and has typically seen a 10:1 ratio of unreported to reported attacks. We hope to see this drop dramatically with these mandatory reporting rules.
Data exfiltration is the preferred tactic of virtually all ransomware today (89%) and something that nearly all companies have overlooked. Consequently, attacks are now at an all-time high and organizations have not kept pace with new methods to prevent these attacks. We hope these rules stop the general trend in trying to hide any attacks for fear of retribution as well as stop ransomware payments to cybercriminals in the process.”
James McQuiggan, Security Awareness Advocate, KnowBe4:
“The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries. Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. India has to report the breach within 6 hours.
Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when. Part of this documentation will need to involve when to inform the SEC if they are publicly traded. Organizations must stay current on local cybersecurity laws and regulations to ensure compliance and foster a prompt incident reporting and response culture.”
Mike Britton, CISO, Abnormal Security:
“Increased disclosures and greater transparency is a good thing for everyone concerned with cybersecurity. But there are some uncertainties around how far these SEC cyber rules will go toward actually solving or exposing security incidents.
For one, the rule assumes that breached organizations are aware of a material compromise, and that reporting it within the stipulated four days from discovery is timely enough. But so often, organizations experience breaches where an attacker was already inside their corporate network—sometimes for weeks or months—before they identified the attack. The SolarWinds attack is a prime example of this, but we also just saw this happen with the hack on U.S. government email accounts through a Microsoft vulnerability, where the attackers were lurking within those accounts for as long as a month before customers noticed anomalous mail activity.
Secondly, the mandated disclosures are required only if the breach has a “material” impact on operations, revenues, or stock price. But without a concrete definition around what is considered “material,” this can feel somewhat arbitrary, and may lead to some material breaches going unreported. Plus, in many cases, an organization won’t know the extent of their material damages until much later.
There is a question around whether the bar should be lowered. For example, there is a case to be made for disclosing any type of breach—even if it’s a BEC attack that results in relatively lower financial loss, like in the thousands of dollars, or if there are repeated incidents. Is a single material breach any worse than attacks that are less costly, but more frequent? Organizations have a duty to be transparent with their customers and investors, so at what point do we draw the line?”
