Organisations operating in the US will have to get to grips with strict new cyber breach reporting regulations, handed down this week by the Securities and Exchange Commission (SEC).
The rules will apply to all US-listed companies, including Foreign Private Issuers – bodies primarily organised outside the US but that maintain secondary listings there.
They oblige organisations to disclose material cyber security incidents within a four-day period from the point at which a breach is determined to be material, although delays will be permitted if an immediate disclosure would pose a risk to national security or public safety, and it is unclear if this is a relevant factor beyond US borders.
Going forward, organisations will also have to disclose material information on their cyber risk management, strategy and governance on an annual basis.
“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” said SEC chair Gary Gensler.
“Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.
“Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies and the markets connecting them,” he said.
Questions raised
The rules were waved through the SEC by three votes to two. Dissenting commissioner Hester Peirce argued that the SEC was overreaching by veering into “managing companies’ cyber defences” and complained the body was not qualified to do so.
Peirce also said the rules had the potential to aid malicious actors by making public information such as when an organisation found out it had been breached, what it knew, and what the financial fallout might be. They could also put off or even mislead potential investors who are unfamiliar with cyber security practice, she argued.
Compliance with the incident disclosure regime will begin either 90 days after the final regulations are published on the US Federal Register, or on 18 December 2023, while compliance with the risk reporting regime will begin with annual reports for fiscal years that end on or after 15 December 2023.
George Gerchow, IANS Faculty, and chief security officer and senior vice-president of IT at cyber analytics specialist Sumo Logic, described the SEC’s ruling as a great step towards achieving accountability and to protecting consumers and investors.
“The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days,” he said.
“One thing to note is that this ruling doesn’t require the reporting of technical details, but in the event of a breach, it will inevitably come down to tech at some point – and no company is prepared for that.
“While we are still waiting [to learn] what the penalties for failing to report will be, we can assume from [other] incidents … that it will lead to a DoJ situation where individuals’ jobs will be on the line.”
Scott Kannry, CEO and co-founder of Axio, a New York-based cyber resilience platform, said the requirement for organisations to disclose material breaches in a strict timeframe meant they would have to take steps to be prepared ahead of time.
For example, he said, CEOs and board directors will need to finally begin to understand cyber risk, while security leaders would need to better model the potential impact of threats.
“All key enterprise constituents need to have a better understanding of how cyber security events can impact the business and become more effective at minimising impact – and acting quickly – if an event should occur,” said Kannry.
“All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cyber security risks, putting the company and shareholders on uncertain ground.
“By properly preparing, enterprises will not only be able to disclose breaches within the required timeline, but they and their shareholders will also have an understanding of their cyber security risk from a financial impact perspective for better prioritisation and decision-making,” he said.