According to IBM’s Cost of a Data Breach Report 2022, the global average total cost of a data breach increased by USD 0.11 million to USD 4.35 million in 2022, the highest it's been in the history of this report. The increase from USD 4.24 million in the 2021 report to USD 4.35 million in the 2022 report represents a 2.6% increase.
See: https://www.ibm.com/reports/data-breach
In addition to the financial costs the US Government has additional timed reporting planned for all publicly held companies. The US Securities and Exchange Commission (SEC) announced on 26 July 2023 that it has adopted new cybersecurity incident disclosure rules for public companies, but there is some concern that the new rules might actually be helping hackers. The goal of the new rules is “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents”.
Publicly traded companies will be required to disclose, through a Form 8-K filing, any material cybersecurity breach within four business days, unless otherwise instructed by the US attorney general due to substantial risk to national security or public safety.
Would it not make more sense to prevent a cyber breach from happening in the first place? There is a service named RedXray that can notify any organization in the world of cyber threats that have not yet breached the entity’s network. US publicly held companies could save time and embarrassment by not having to report on cyber breaches that could have been prevented.
The SEC filing must describe the incident’s nature, timing, scope and material impact (or likely material impact). It’s worth noting that the timer for the four (4) days starts the moment the victim determines that an incident is material. Companies will also have to regularly provide information on their processes for identifying, assessing and managing risks associated with cyber threats, as well as on material impact from threats and previous incidents.
Information on the board of directors’ oversight of cybersecurity risks and management’s expertise and role in managing cybersecurity-related material risks will also need to be provided.
The Form 8-K disclosures will be required starting 90 days after the publication of the rules in the Federal Register or 18 December 2023. Smaller companies have been given an additional 180 days. “Whether a company loses a factory in a fire or millions of files in a cybersecurity incident it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
While some have applauded the SEC’s efforts to ramp up expectations for companies, others are not happy with the new rules. The rules passed by a 3-2 vote and one of those who voted against it is SEC commissioner Hester Peirce, who raised concerns that the requirements will harm investors due to the additional costs associated with the disclosure process. In addition, Peirce pointed out that the disclosure requirements could actually help cybercriminals. “The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them. The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get),” Peirce said.
“The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack. The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe,” Peirce added.
This article is presented at no charge for educational and informational purposes only.
Source: https://www.securityweek.com/companies-required-by-sec-to-disclose-cybersecurity-incidents-in-4-days/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments