Government Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday
The US Securities and Exchange Commission (SEC) has recently adopted new cybersecurity incident disclosure rules for public companies, sparking a mixed response from industry professionals. While some have applauded the SEC‘s initiative as a step in the right direction, others express concerns about potential negative consequences of the new rules.
Disclosure Requirements and Concerns
Under the new rules, publicly traded companies will be required to disclose security breaches that have a material impact within four business days and regularly provide information on their risk management processes and practices. The intent behind these requirements is to enhance transparency and accountability in the face of increasing cyber threats.
However, some industry professionals have raised concerns that the disclosure requirements could inadvertently help cybercriminals by providing them with valuable information that they could leverage for hacking and extortion. Gareth Lindahl-Wise, CISO at Ontinue, suggests that the disclosures could reveal the impact of the attack and stretch out the timelines for extortion attacks. Tom Eston, VP of Consulting and Cosmos at Bishop Fox, adds that the level of detail in disclosure could provide attackers with greater target and tactical intelligence.
Editorial: Balancing Transparency and Cybersecurity
The SEC‘s new cybersecurity incident disclosure rules are an important step towards enhancing transparency and accountability in the face of increasing cyber threats. However, it is crucial to strike a balance between transparency and cybersecurity. While it is important to ensure that stakeholders are promptly informed about potential financial implications resulting from breaches, disclosing too much information could inadvertently aid cybercriminals in their malicious activities.
There is a need for organizations to carefully assess the potential risks and benefits of disclosing specific details about security incidents. It is essential to evaluate the impact that disclosing certain information could have on the organization’s ability to contain the breach, gather evidence, and fully remediate the incident. At the same time, organizations must prioritize cybersecurity as a core aspect of their business strategy and invest in advanced security technologies, threat intelligence, employee training, and proactive risk assessments.
Advice for Affected Organizations
As the new SEC cybersecurity incident disclosure rules come into effect, affected organizations should take the following steps to navigate the landscape of disclosure requirements and cybersecurity:
1. Review Policies and Procedures
Companies should immediately start preparing and thinking about their policies, procedures, organizational structure, and tools sets. The new rules offer flexibility in determining what is considered a “material” incident and reportable. However, decisions taken by management teams may face litigation, and it will be interesting to see how these rules are implemented and whether the benefits will outweigh the costs and burden.
2. Enhance Incident Response Capabilities
With the requirement to disclose cyber attacks within a specific timeframe, organizations should prioritize incident response capabilities. Companies should have repeatable and well-documented incident response plans, communication plans, procedures, and requirements for notifying the SEC. Organizations must stay current on local cybersecurity laws and regulations to ensure compliance and foster a prompt incident reporting and response culture.
3. Evaluate the Materiality of Incidents
When disclosing security breaches, organizations must carefully assess the materiality of the incident. While the new rules require disclosure of breaches with a material impact, it is important to define what “material” means in the context of cybersecurity. Companies should engage in delicate assessments to determine whether the impact of the attack would significantly alter the information made available to reasonable investors.
4. Maintain Focus on Cybersecurity Resilience
Organizations should not solely rely on breach notifications for their cybersecurity efforts. Instead, companies should view security as a proactive measure rather than an afterthought. The SEC‘s new rules provide an opportunity for companies to enhance their cybersecurity resilience by investing more resources in safeguarding their systems and data. This includes adopting secure-by-design principles, implementing effective security controls, and continuously monitoring and improving their security posture.
Conclusion
The new SEC cybersecurity incident disclosure rules have sparked varying responses from industry professionals. While the rules aim to enhance transparency and accountability, concerns have been raised about the potential unintended consequences of providing cybercriminals with valuable information. To navigate these challenges, organizations must carefully evaluate the materiality of incidents, prioritize cybersecurity resilience, and strike a balance between transparency and protecting their systems and data.
<< photo by Domenico Loia >>
The image is for illustrative purposes only and does not depict the actual situation.
