The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they're material incidents.
According to the Wall Street watchdog, material incidents are those that a public company's shareholders would consider important "in making an investment decision."
The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches.
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," said SEC Chair Gary Gensler today.
"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
Listed companies must now include details about the cyberattack (including the incident's nature, scope, and timing) in periodic report filings, specifically on 8-K forms.
These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register.
However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures.
In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety.
Timely disclosures designed to increase transparency
Today's announcement follows plans to adopt these new rules revealed by the SEC more than a year ago, in March 2022.
The new rules (PDF) provide investors with prompt notifications about security incidents that impact listed companies, improving their understanding of cybersecurity risk management and strategy.
They require the disclosure of the following breach-related information (provided it is available at the time of filing Form 8-K):
- The date of discovery and status of the incident (ongoing or resolved).
- A concise description of the incident's nature and extent.
- Any data that may have been compromised, altered, accessed, or used without authorization.
- The impact of the incident on the company's operations.
- Information about ongoing or completed remediation efforts by the company.
However, affected companies are not expected to disclose technical specifics of their incident response plans or details about potential vulnerabilities that might influence their response or remediation actions.
According to Lesley Ritter, Senior Vice President for Moody's Investors Service, the new rules will increase transparency but will likely prove challenging for smaller companies.
"The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability," Ritter told BleepingComputer.
"Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources."
Comments
wright_is - 1 year ago
Seems like GDPR, but only if it affects investors, not actual people's data or systems... And a more relaxed reporting timescale - 4 days, instead of 3.
Still, it is a move in the right direction.
JohnTillotson777999 - 1 year ago
What this really means is that any communications from IT Security will be blocked by default before they reach the ears of anyone who may be held responsible by the SEC, to give the leadership time to cover their butts.
Ain't nobody who's going to pick up the phone if the caller ID says "ITSec". Plausible Deniability, dont'cha know?
LIstrong - 1 year ago
This is so much more than breach disclosure. Best to read Chairman Gensler’s statement that this modifies Sarbanes Oxley and requires an annual external cyber audit by CPA’s. What that audit consists of remains to be seen but I assume it’s either a SOC2 type 2 with additional vendor risk disclosure, or it is based on Treasury’s FFIEC examinations (NIST 800-53) which had an update to the third party risk guidance a few weeks ago. Either way it’s a lot more disclosure than any company, outside of banks, are accustomed to.
They’ve done a great job with defining breach and it includes unauthorized access.
If audits are like SOC 2’s I’m assuming logs may be examined. Hopefully Microsoft also provides the logs showing changes to AD for free and ability to download them. Purview needs to work with all subscriptions. The focus isn’t just on breaches - it’s primarily on process. A lot of focus will be on ticket lifecycle, change control, access to production and monitoring not only end-points but IAM and PAM. All actions and investigations need to be turned into a ticket.
Best for big companies to make sure if your auditors include a COSO statement in your annual report (most do) to place GRC in your 2nd line reporting to Finance, instead of cybersecurity. And make sure they are qualified in accordance with NIST 800-181 (NICE Cybersecurity Framework) skills requirements. This is about cybersecurity oversight. Especially if your IA doesn’t have technologists on staff.
GRC software not required but enterprise class ITSM integrated with SIEM is necessary. If Advisory desired go with someone who can prepare for SOC 2, and be aware that disclosure of cybersecurity staff, consultants, vendors and contractors is required - so too is turnover a discoverable metric.
https://www.sec.gov/news/statement/gensler-statement-cybersecurity-072623