US Companies to Disclose Cyber Attacks in 4 Days, As Per New SEC Regulations

Cyberattacks

The U.S. Securities and Exchange Commission (SEC) has put forth new regulations that obligate publicly listed companies to reveal cyber attack details within four days, if such attacks significantly impact their financial standing. This decision marks a significant transformation in the disclosure procedures of cyber breaches.

SEC chair Gary Gensler stated, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. We need a more consistent, comparable, and decision-useful way of providing cybersecurity disclosure to investors.”

The newly established rules stipulate that companies need to disclose the nature, scope, and timing of the incident, along with its impact. However, under certain circumstances, this disclosure could be delayed for an additional 60 days if revealing such specifics would “pose a substantial risk to national security or public safety.”

Moreover, companies are required to annually outline their strategies and methods for identifying, assessing, and managing substantial cybersecurity threats, discuss potential risks or material effects stemming from these events, and provide information about ongoing or completed remediation efforts.

“The key word here is ‘material,’ and being able to determine what that actually means is a challenge,” Saket Modi, Safe Security CEO, told The Hacker News. “Most organizations are unprepared to comply with the SEC guidelines as they cannot determine materiality, a core aspect of shareholder protection. They lack the systems to quantify risk at broad and granular levels.”

However, these rules do not apply to “specific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

The policy, initially proposed in March 2022, aims to enhance the transparency of cyber threats facing U.S. companies, close the gaps in cybersecurity defense and disclosure practices, and fortify the systems against data theft and intrusions.

In the recent past, over 500 companies fell victim to a cyber attack wave led by a ransomware gang called Cl0p, who exploited critical software vulnerabilities frequently found in enterprise environments, and used new exfiltration methods to steal data, according to Kroll.

Amit Yoran, Tenable CEO and Chairman, stated that the new rules on cyber risk management and incident disclosure are “right on the money” and represent a “dramatic step toward greater transparency and accountability.”

However, some have expressed concerns that the four-day time frame could lead to possibly inaccurate disclosures, as it could take weeks or even months for companies to thoroughly investigate a breach. Additionally, early breach notifications could inadvertently inform other attackers of a vulnerable target and amplify security risks.

James McQuiggan, security awareness advocate at KnowBe4, commented, “While the new four-day reporting requirement set by the SEC seems aggressive, it is more lenient than the timeframe in other countries. For example, in the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In China and Singapore, it’s 24 hours, and India requires a report within six hours.”

He added, “Organizations should have well-documented and repeatable incident response plans with communication plans, procedures, and requirements on who is involved in the incident and when.”

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *

INCIDENT RESPONSE