The US Securities and Exchange Commission (SEC) has recently implemented new regulations mandating publicly-listed companies to disclose significant cybersecurity incidents within a four-day window.
These stringent rules, set to take effect from December 2023, have been designed with good intentions, but they may also stir discontent among firms who feel overly scrutinized and potentially expose vulnerabilities to cyber attackers. The new mandate requires companies to provide details about “material” cyberattacks, including the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the company.
The term “material impact” is defined by the SEC as harm to a company’s reputation, customer or vendor relationships, or competitiveness, in addition to the risk of litigation or regulatory action.
This definition, while comprehensive, could be seen as broad and somewhat ambiguous. In the immediate aftermath of a cyberattack, it’s often challenging for companies to accurately assess the type and scope of the breached data. Unlike the theft of a physical object, where the loss is immediately apparent, data theft is more elusive.
Data can be copied and transferred without leaving a noticeable void in its original location. Therefore, it often takes longer than four days for organizations to confidently ascertain what data might have been accessed by cybercriminals. The new rules could potentially lead to situations where companies, in their rush to meet the disclosure deadline, share inaccurate or incomplete information with the authorities, affected partners, employees, and customers.
There have been instances where companies announced a data breach, only to later reveal that more data was stolen than initially reported, causing further harm to their brand and business relationships. Moreover, a company that overstates the severity of a data breach may find it difficult to reverse the damage caused by the initial announcement. There’s also a risk that a company, in its haste to comply with the disclosure deadline, might prematurely announce that it fell victim to an undisclosed zero-day vulnerability before responsibly reporting the flaw to a vendor and before a patch is made publicly available. This could potentially invite other cybercriminals to exploit the same vulnerability against other businesses.
Despite these concerns, it’s also important to acknowledge that some companies have previously withheld information about a cyberattack, downplayed its severity, or strategically released details of a breach to minimize damage to their reputation. The new rules aim to address these issues and enhance transparency by encouraging companies to disclose breaches in a “more consistent, comparable, and decision-useful way,” as stated by SEC chair Gary Gensler. While these new regulations will likely be welcomed by the general public and could bring about some benefits, they will also pose challenges for firms, particularly in the immediate aftermath of an attack.
Companies will need to balance the demands of managing the crisis at hand and complying with the new disclosure requirements, adding another layer of complexity to an already stressful situation.