The US Securities and Exchange Commission (SEC) this past week approved new rules that require publicly traded companies to publicize details of a cyber-attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed. "Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors," the SEC chair said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."[1]
To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."
They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts. "The key word here is 'material' and being able to determine what that actually means," Safe Security said. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels." That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."
The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by US companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
In recent months, more than 500 companies have become victims of a cyber-attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.
Tenable said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability. When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Tenable added.
That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks. "The new requirement set forth by the SEC requiring organizations to report cyber-attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," the security awareness advocate at KnowBe4, said. "Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours. Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," KnowBe4 added.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html
Comments