On Wednesday, the U.S. Securities and Exchange Commission implemented regulations stating that public companies must promptly disclose any cybersecurity breaches that could impact their financial situation within a maximum of four days. However, in cases where an immediate disclosure might pose significant risks to national security or public safety, companies will be allowed to delay the disclosure. The decision to postpone will require notification to the SEC in writing and will be subject to approval by the U.S. Attorney General.
The new rules, passed by a vote of 3-2 along party lines, also mandate publicly traded companies to provide annual reports regarding their cybersecurity risk management practices and their executives’ expertise in this domain. The primary goal of these regulations is to safeguard investors’ interests.
When the U.S. Attorney General determines that a breach disclosure carries substantial risks to national security or public safety, and upon informing the SEC in writing, the delay in the disclosure can be extended beyond the standard 60-day timeframe only under exceptional circumstances.
SEC’s Emphasis on Disclosure of Material Impact Incidents
In a recent statement, SEC Chair Gary Gensler emphasized the significance of disclosing incidents that may have a material impact on a company’s operations, be it a physical disaster like a factory fire or a cybersecurity breach involving the loss of crucial files. Gensler noted inconsistencies in the current disclosure practices, and the new rules aim to address this issue by bringing more transparency to the growing risk of cybersecurity incidents.
The updated rules will provide a four-day window for companies to report such incidents once they have determined that a breach is material. This grace period allows companies to assess the situation thoroughly before making the necessary disclosures.
However, not everyone is on board with the new requirements. Hester Peirce, one of the dissenting Republican commissioners, voiced concerns that the SEC might overstep its authority and unintentionally aid potential hackers by providing them with detailed information about how companies manage cyber risk. Peirce also worried that the SEC’s involvement might lead to micromanaging of company operations.
On the other hand, cybersecurity experts like Tenable CEO Amit Yoran welcomed the new rule. He stated that many large companies had treated cybersecurity as a secondary concern, but now it is clear that it must become a top priority within organizations.
SEC Implements Stricter Cybersecurity Regulations to Safeguard Investors and Consumers
The need for such regulations is supported by a report from IBM, which found that organizations now spend an average of US$4.5 million to handle cybersecurity breaches, reflecting a 15% increase over the past three years. Impacted businesses often pass these costs on to consumers, who may themselves suffer as victims of personal information theft in a breach.
Amidst the slow and often unclear disclosures, a significant data breach has affected numerous organizations due to a supply chain hack carried out by Russian cybercriminals on the widely-used file transfer program MOVEit. This breach has had far-reaching consequences, impacting various entities such as universities, major pension funds, U.S. government agencies, over 9 million motorists in Oregon and Louisiana, and prominent companies like the BBC, British Airways, Ernst & Young, and PricewaterhouseCoopers. Many victims of the MOVEit breach have expressed frustration, pointing out that a third-party application let them down.
The recently introduced SEC rule now includes third-party applications and highlights the growing trend of companies relying on external cloud services for data management and storage. As cyber threats evolve and become more sophisticated, the potential costs to investors from cybersecurity incidents have risen significantly. The absence of a federal breach disclosure law further highlights the importance of establishing clear and consistent company reporting requirements.
