SEC cyber rules ignite tension between reputation and security risk
Home/CyberSecurity / SEC cyber rules ignite tension between reputation and security risk
SEC cyber rules ignite tension between reputation and security risk

Weeks after the Securities and Exchange Commission adopted new cybersecurity disclosure rules, publicly traded companies across the U.S. and abroad are reassessing internal security practices and governance to prepare for heightened levels of accountability. 

Following a combative open hearing, the SEC voted 3-2 for new rules that require companies to disclose material cyber incidents to the agency. Companies will have four business days to report the incident to the SEC once they determine it is material to the business.

The rules, which will go into effect Sept. 5, are designed to ensure investors and other members of the public are informed about these events in a much more timely and consistent manner. 

SEC Chair Gary Gensler said if a company lost a factory in a fire that would be considered material to the business, and the loss of millions of files to a cyberattack needs to be treated with the same level of materiality. 

“Whether it’s a material factory [incident] or a material cybersecurity incident, it may be important to those investment decisions that we oversee the disclosure for,” Gensler said during the July 26 open meeting.

Over many years, the agency’s disclosure requirements have “evolved to meet investors needs in changing times,” he said.

The SEC made numerous accommodations following concerns about national security and the release of proprietary information. The final rule still incorporates a strict schedule designed to provide timely information to investors regarding the security of corporate data and the potential loss of customer information. 

“Generally, businesses should be excited about changes to the rules as the SEC tried to streamline compliance in a lot of areas,” said Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC US. “However, the requirement that incidents be disclosed within four business days will be a heavy lift for companies.”

The push for regulatory change emerged after federal officials raised concerns about the lack of incident transparency in the wake of the Sunburst malware attack on SolarWinds, a publicly traded provider of IT monitoring software in 2020, and the ransomware attack against Colonial Pipeline, a closely held fuel supplier, in 2021.

A 2022 report released by Sen. Gary Peters, D-Mich., showed upwards of 75% of ransomware attacks went unreported, while the SEC and other regulators found that companies often failed to make timely disclosures about material breaches and attacks. 

Gartner, in a report released in September 2022, noted that public companies filed less than 43% of their disclosed breaches to the SEC in 2021.

Companies took an average of 79.8 days to report the incident to the regulatory agency, which was up from an average of 60.6 days in 2020, Gartner found.

But companies should not expect to be able to maintain such an inconsistent and irregular pattern of reporting if they want to maintain investor confidence, Gartner said. Instead, organizations should conduct internal audits of incident response plans and cybersecurity controls to determine whether they can quickly respond to an attack or breach.

Taking security to the board

Many companies will have to reassess their existing relationships between security operations teams, the C-suite and the board of directors under the new rule. 

CISOs will need to have more direct and frequent communications with the upper echelons of their companies to make sure the board and investor relations arms are fully aware of ongoing cyber risk.

“Operational rigor to determine material impact and streamlining incident response will be brutal and expensive for many public companies,” George Gerchow, CSO and SVP of IT at Sumo Logic and a faculty member at IANS, said via email. 

The rapid proliferation of malicious threat activity means that companies must be ready to respond to these threats at all levels beyond just the security operations team.

Source link