The US Securities and Exchange Commission (SEC) has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18.
The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose any material breach within four business days of discovering that the incident has material impact. In addition, companies will have to submit annual reports with information on their cybersecurity risk management, strategy, and governance.
According to the SEC, the goal is to provide investors with “timely, consistent, and comparable information” in order to help them make informed investment and voting decisions, pointing out that cybersecurity incidents can cause significant losses to companies and their investors.
When the government agency announced the new rules, some industry professionals and government representatives raised concerns that forcing companies to disclose information in this manner could actually help threat actors, as the information provided by the victim to the SEC could be very useful. This includes telling the attacker when the breach was discovered, what is known about it, and the potential financial impact, which could be useful for setting a ransom demand in the case of ransomware attacks.
In a blog post published last week, Erik Gerding, director of the SEC’s Division of Corporation Finance, shared some clarifications on what information must be disclosed by companies and when it must be disclosed.
Gerding clarified that the final version of the rules is more focused on the material impacts of an incident and requires less information compared to the initial version. Moreover, companies are specifically told that they do not need to disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.
“The Commission thus balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks,” Gerding explained.
He also provided additional clarifications on the ‘four business day’ requirement, noting that it’s in line with other events that companies are required to report to the SEC, such as bankruptcy.
Public firms that suffer a data breach will be required to inform the SEC within four business days of determining that the incident is material, but their initial notification does not need to contain complete information about the incident. A subsequent filing can be used to disclose information obtained after the four-day deadline.
Gerding highlighted that the final version of the rule also includes some changes regarding the annual disclosures in an effort to avoid misinterpretations that could put unnecessary pressure on companies.
For instance, a requirement to disclose whether any board members have cybersecurity expertise has been removed as it may have been interpreted as a requirement to retain an expert on the board. Such an expert could come at the expense of other, more important cybersecurity investments.
Some companies will be allowed to delay their disclosure to the SEC if there is substantial risk to public safety or national security.
Organizations that have suffered a breach can request an exemption if they believe the disclosure will harm public safety or national security. The Justice Department can grant delays ranging between 30 and 120 business days — a delay exceeding 120 days can only be granted by the SEC.
The FBI, which is accepting delay requests on behalf of the Justice Department, recently provided some clarifications on this process.
The SEC has promised to assist companies and assured them that it “does not seek to make ‘gotcha’ comments or penalize foot faults”.
Summer Fowler, faculty at IANS Research and CISO at Torc Robotics, has shared some recommendations on how companies can prepare for complying with the SEC cyber incident disclosure rules.
“Create a formal definition of what is ‘material’ to the organization. This is a collaborative effort between security experts and senior leadership to draft a definition of materiality that includes both direct (e.g., cost of forensics) and indirect (e.g., reputational costs) impacts. Ultimately, both the C-suite and board should approve a comprehensive company definition of materiality,” Fowler said.
She added, “Document the formal process by which risks related to cybersecurity threats are managed; produce and regularly update evidence to show that risks from cybersecurity threats are presented to the board and any feedback or actions are driven to conclusion; develop and implement policies, procedures, and protocols for reporting material cybersecurity incidents on Item 1.05 Form 8-K.”
Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, has shared some advice for organizations using operational technology (OT) systems.
“There are major implications for organizations that manage operational technology. If an OT network is crippled in a cyberattack, there is a very high likelihood that it is material. If infrastructure like a manufacturing line, power grid, oil refinery, airport or healthcare system goes down, there will inevitably be a significant disruption to commerce – not to mention the impact on public safety or the environment,” Capdevielle said.
“Based on my own experience, these OT systems, which are every bit as vulnerable, are not as well protected thanks to years of inattention. That should be a concern for investors, as well as the millions of people who depend on them every day. I’d encourage not only CISOs, but others in fiduciary roles such as CFOs, board directors and legal counsels, to pay close attention – and if an incident does happen, assume that it’s material,” he added.
Related: Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday
Related: Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach
