Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect

The SEC has provided some important clarifications on its new cyber incident disclosure requirements, which come into effect on December 18.

SEC Breach Disclosure Rules

The US Securities and Exchange Commission (SEC) has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. 

The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose any material breach within four business days of discovering that the incident has material impact. In addition, companies will have to submit annual reports with information on their cybersecurity risk management, strategy, and governance.

According to the SEC, the goal is to provide investors with “timely, consistent, and comparable information” in order to help them make informed investment and voting decisions, pointing out that cybersecurity incidents can cause significant losses to companies and their investors. 

When the government agency announced the new rules, some industry professionals and government representatives raised concerns that forcing companies to disclose information in this manner could actually help threat actors, as the information provided by the victim to the SEC could be very useful. This includes telling the attacker when the breach was discovered, what is known about it, and the potential financial impact, which could be useful for setting a ransom demand in the case of ransomware attacks. 

In a blog post published last week, Erik Gerding, director of the SEC’s Division of Corporation Finance, shared some clarifications on what information must be disclosed by companies and when it must be disclosed. 

Gerding clarified that the final version of the rules is more focused on the material impacts of an incident and requires less information compared to the initial version. Moreover, companies are specifically told that they do not need to disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.

“The Commission thus balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks,” Gerding explained. 

He also provided additional clarifications on the ‘four business day’ requirement, noting that it’s in line with other events that companies are required to report to the SEC, such as bankruptcy. 

Advertisement. Scroll to continue reading.

Public firms that suffer a data breach will be required to inform the SEC within four business days of determining that the incident is material, but their initial notification does not need to contain complete information about the incident. A subsequent filing can be used to disclose information obtained after the four-day deadline.

Gerding highlighted that the final version of the rule also includes some changes regarding the annual disclosures in an effort to avoid misinterpretations that could put unnecessary pressure on companies. 

For instance, a requirement to disclose whether any board members have cybersecurity expertise has been removed as it may have been interpreted as a requirement to retain an expert on the board. Such an expert could come at the expense of other, more important cybersecurity investments. 

Some companies will be allowed to delay their disclosure to the SEC if there is substantial risk to public safety or national security.

Organizations that have suffered a breach can request an exemption if they believe the disclosure will harm public safety or national security. The Justice Department can grant delays ranging between 30 and 120 business days — a delay exceeding 120 days can only be granted by the SEC. 

The FBI, which is accepting delay requests on behalf of the Justice Department, recently provided some clarifications on this process. 

The SEC has promised to assist companies and assured them that it “does not seek to make ‘gotcha’ comments or penalize foot faults”.

Summer Fowler, faculty at IANS Research and CISO at Torc Robotics, has shared some recommendations on how companies can prepare for complying with the SEC cyber incident disclosure rules. 

“Create a formal definition of what is ‘material’ to the organization. This is a collaborative effort between security experts and senior leadership to draft a definition of materiality that includes both direct (e.g., cost of forensics) and indirect (e.g., reputational costs) impacts. Ultimately, both the C-suite and board should approve a comprehensive company definition of materiality,” Fowler said.

She added, “Document the formal process by which risks related to cybersecurity threats are managed; produce and regularly update evidence to show that risks from cybersecurity threats are presented to the board and any feedback or actions are driven to conclusion; develop and implement policies, procedures, and protocols for reporting material cybersecurity incidents on Item 1.05 Form 8-K.”

Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, has shared some advice for organizations using operational technology (OT) systems. 

“There are major implications for organizations that manage operational technology. If an OT network is crippled in a cyberattack, there is a very high likelihood that it is material. If infrastructure like a manufacturing line, power grid, oil refinery, airport or healthcare system goes down, there will inevitably be a significant disruption to commerce – not to mention the impact on public safety or the environment,” Capdevielle said.

“Based on my own experience, these OT systems, which are every bit as vulnerable, are not as well protected thanks to years of inattention. That should be a concern for investors, as well as the millions of people who depend on them every day. I’d encourage not only CISOs, but others in fiduciary roles such as CFOs, board directors and legal counsels, to pay close attention – and if an incident does happen, assume that it’s material,” he added.

Related: Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday

Related: Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.