SEC Delays Critical Rule on Cyber Breach Reporting, Leaving Companies in Limbo

SEC Delays Critical Rule on Cyber Breach Reporting, Leaving Companies in Limbo

June 21, 2023

The Securities and Exchange Commission (SEC) has decided to push out the implementation of a critical final regulation until October. This cyber incident disclosure rule pertains to the mandatory reporting of significant cyber breaches and attacks by publicly traded companies in their regulatory filings.

Initially proposed in March 2022, the rule intends to enhance transparency and accountability in the realm of cybersecurity. Under this regulation, public companies would be obligated to submit a filing within a span of 4 days after determining the extent of a cyber breach.

cyber incident disclosure rule

Background on Proposed Rule for Cyber Incident Disclosures

This proposal arises from the recognition of the prolonged instances where businesses have either delayed or neglected to disclose such significant breach incidents.

A report released by the U.S. Senate in 2022 sheds light on the historical practices of companies, revealing that they have only reported approximately one-quarter of ransomware attacks to public authorities. These incidents have predominantly remained undisclosed as organizations have resorted to confidential arrangements involving ransom payments.

Besides, there are several reasons why businesses and organizations choose to use these types of non-disclosure procedures. For one, organizations worry about the possible consequences of going public, such as data releases causing more breaches, legal action from unhappy customers or investors, and significant reputational harm. Although reasonable from a corporate standpoint, these worries obstruct the larger goal of creating a more safe and resilient business environment.

SEC Delays Cyber Rule

According to IT security experts, the SEC’s decision to delay the implementation of the rule on cyber breach reporting is expected to amplify the level of risk. This is primarily due to the fact that numerous investors, consumers, and companies heavily depend on voluntary disclosure when it comes to such data breach incidents.

Gary Barlet, field CTO at Illumio, expressed via email that if the SEC postpones ruling on cyber incident disclosures, the reporting of breaches will likely remain voluntary, and he noted that historically, this approach has been ineffective.

Many businesses, like the cybersecurity company Rapid7, have also voiced their worries about the possible dangers posed by the suggested disclosure standards. According to them, making ongoing attacks a matter of public record could be detrimental. The argument presented is that if a company is compelled to disclose the incident before it is contained, it may inadvertently alert criminal hackers, thereby exacerbating the situation.

In general, the cyber rule garners support from the community. Comparing the SEC’s regulation to existing incident disclosure requirements, such as state-level data breach legislation and sector-specific reporting requirements, the Digital Forensic Research Lab claims that the SEC’s rule would offer a better degree of cybersecurity openness.

SEC Delays Critical Rule on Cyber Breach Reporting, Leaving Companies in Limbo

Why Regulatory Changes Are Needed

There are several reasons for the SEC’s delayed ruling on cyber breach reporting. First, a thorough and well-considered approach to regulation may be required, given the complexity and constantly changing nature of cybersecurity risks.

The SEC’s cyber incident disclosures final rule involves striking a balance between promoting transparency and preventing unnecessary burdens for companies, particularly those already facing resource constraints. Thus, crafting a rule that effectively addresses these concerns while remaining adaptable to future developments is undoubtedly challenging.

Moreover, the SEC’s decision-making process involves soliciting public input and considering various stakeholders’ perspectives. Delays may stem from the extensive deliberation required to ensure that the rule effectively captures the diverse needs and interests of the financial markets. Balancing the competing priorities of investors, businesses, and regulators requires time and careful consideration.

SEC Delays Critical Rule on Cyber Breach Reporting, Leaving Companies in Limbo

Concerns Regarding the 4-Day Reporting Requirement

With the 4-day requirement, the SEC aims to improve transparency, enable swift reaction actions, and give timely information to clients, shareholders, and regulatory agencies. And while the core objective of the reporting requirement is reasonable, enterprises may face considerable implementation difficulties.

One of the primary concerns is the complexity and magnitude of cyber breaches. Discovering and thoroughly assessing the extent of a breach within such a short timeframe can be daunting, especially when dealing with sophisticated attacks. Rushed reporting may also result in incomplete or inaccurate information, potentially misleading stakeholders and hindering effective incident response.

Another challenge lies in the nature of cyber breaches themselves. Sophisticated attacks often involve intricate infiltration techniques and stealthy maneuvers within an organization’s network. Unraveling the intricacies of such incidents requires thorough forensic analysis and investigation, which may extend beyond the 4-day timeframe.

While authorities like the SEC should encourage collaboration and offer the necessary support to solve the obstacles associated with completing reporting responsibilities, organizations themselves should prioritize implementing proactive cybersecurity measures. Together, these initiatives can help create a more secure and resilient data environment.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
best document management system
3-Part Guide to Finding the Best Document Management System

In the old days, managing documents was done manually using a physical system. People kept their printed copies in bulky…

Read Story
hipaa compliance for law firms
HIPAA Compliance for Law Firms Explained: 2024 Easy Guide

This post delves into the importance of HIPAA compliance for law firms and what must be done to ensure they meet these…

Read Story
hipaa-compliant phone and fax solutions
5 Best HIPAA-Compliant Phone and Fax Solutions

This list features the best HIPAA-compliant phone and fax solutions, suitable for healthcare organizations and other businesses that handle PHI.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.