June 21, 2023
The Securities and Exchange Commission (SEC) has decided to push out the implementation of a critical final regulation until October. This cyber incident disclosure rule pertains to the mandatory reporting of significant cyber breaches and attacks by publicly traded companies in their regulatory filings.
Initially proposed in March 2022, the rule intends to enhance transparency and accountability in the realm of cybersecurity. Under this regulation, public companies would be obligated to submit a filing within a span of 4 days after determining the extent of a cyber breach.
Table of Contents
Background on Proposed Rule for Cyber Incident Disclosures
This proposal arises from the recognition of the prolonged instances where businesses have either delayed or neglected to disclose such significant breach incidents.
A report released by the U.S. Senate in 2022 sheds light on the historical practices of companies, revealing that they have only reported approximately one-quarter of ransomware attacks to public authorities. These incidents have predominantly remained undisclosed as organizations have resorted to confidential arrangements involving ransom payments.
Besides, there are several reasons why businesses and organizations choose to use these types of non-disclosure procedures. For one, organizations worry about the possible consequences of going public, such as data releases causing more breaches, legal action from unhappy customers or investors, and significant reputational harm. Although reasonable from a corporate standpoint, these worries obstruct the larger goal of creating a more safe and resilient business environment.
SEC Delays Cyber Rule
According to IT security experts, the SEC’s decision to delay the implementation of the rule on cyber breach reporting is expected to amplify the level of risk. This is primarily due to the fact that numerous investors, consumers, and companies heavily depend on voluntary disclosure when it comes to such data breach incidents.
Gary Barlet, field CTO at Illumio, expressed via email that if the SEC postpones ruling on cyber incident disclosures, the reporting of breaches will likely remain voluntary, and he noted that historically, this approach has been ineffective.
Many businesses, like the cybersecurity company Rapid7, have also voiced their worries about the possible dangers posed by the suggested disclosure standards. According to them, making ongoing attacks a matter of public record could be detrimental. The argument presented is that if a company is compelled to disclose the incident before it is contained, it may inadvertently alert criminal hackers, thereby exacerbating the situation.
In general, the cyber rule garners support from the community. Comparing the SEC’s regulation to existing incident disclosure requirements, such as state-level data breach legislation and sector-specific reporting requirements, the Digital Forensic Research Lab claims that the SEC’s rule would offer a better degree of cybersecurity openness.
Why Regulatory Changes Are Needed
There are several reasons for the SEC’s delayed ruling on cyber breach reporting. First, a thorough and well-considered approach to regulation may be required, given the complexity and constantly changing nature of cybersecurity risks.
The SEC’s cyber incident disclosures final rule involves striking a balance between promoting transparency and preventing unnecessary burdens for companies, particularly those already facing resource constraints. Thus, crafting a rule that effectively addresses these concerns while remaining adaptable to future developments is undoubtedly challenging.
Moreover, the SEC’s decision-making process involves soliciting public input and considering various stakeholders’ perspectives. Delays may stem from the extensive deliberation required to ensure that the rule effectively captures the diverse needs and interests of the financial markets. Balancing the competing priorities of investors, businesses, and regulators requires time and careful consideration.
Concerns Regarding the 4-Day Reporting Requirement
With the 4-day requirement, the SEC aims to improve transparency, enable swift reaction actions, and give timely information to clients, shareholders, and regulatory agencies. And while the core objective of the reporting requirement is reasonable, enterprises may face considerable implementation difficulties.
One of the primary concerns is the complexity and magnitude of cyber breaches. Discovering and thoroughly assessing the extent of a breach within such a short timeframe can be daunting, especially when dealing with sophisticated attacks. Rushed reporting may also result in incomplete or inaccurate information, potentially misleading stakeholders and hindering effective incident response.
Another challenge lies in the nature of cyber breaches themselves. Sophisticated attacks often involve intricate infiltration techniques and stealthy maneuvers within an organization’s network. Unraveling the intricacies of such incidents requires thorough forensic analysis and investigation, which may extend beyond the 4-day timeframe.
While authorities like the SEC should encourage collaboration and offer the necessary support to solve the obstacles associated with completing reporting responsibilities, organizations themselves should prioritize implementing proactive cybersecurity measures. Together, these initiatives can help create a more secure and resilient data environment.
