The new SEC Rules establish a framework that requires rapid disclosure of material cybersecurity incidents (4 days), companies will need to be able to explain their cybersecurity posture to manage risks, and for boards to describe their oversight and expertise for cybersecurity.
This is a major leap forward for securing US public companies! The new regulation drives transparency of incidents, risk management processes, and board accountability. It may be the most impactful cybersecurity event this year that shifts the trajectory of how cyber risks are managed!
The new SEC Rules establish a framework that requires:
- Rapid disclosure of material cybersecurity incidents (4 days)
- Companies will need to be able to explain their cybersecurity posture to manage risks
- Boards of Directors must describe their oversight and expertise in cybersecurity
These three simple rules will shake the current inconsistent foundations across every sector, which are often flimsy, and force companies to build strong programs, integrated with board support, to protect customers’ and shareholders’ interests!
Overall, I very much like this requirement! Historically I have despised tech regulations, except when financial incentives fail to drive the industry to serve the best interests of the public, shareholders, or customers. It was true for Sarbanes Oxley, privacy, and now cybersecurity.
There will be concerns about the definition of ‘materiality’ and the 4-day reporting requirement.
So first, as a former Incident Commander for a F100 tech firm, yes businesses can report material breaches within 4 days. Typically, you understand how hot the fire may get in the first few hours. If you know the CEO will need to be briefed, it may be ‘material’, so the regulatory reporting team can get ready. This is doable.
Will a clear picture be determined of the root cause, scope of impacts, final damage tally, and every entity identified?
No. Not in 4 days. Incident response teams will not have all the final details or scope when they make the initial report. Those details will eventually come. The first thing is to notify shareholders. Keep in mind, if it is ‘material’ and you don’t make it public, how many insiders are going to SELL their stock/options because they know something that the public does not! Yeah, insider trading is bad.
Will companies ignore the requirements or try to game the system by fudging the data when they realized it was ‘material’?
Overall, public companies go to tremendous lengths to not violate SEC rules. Additionally, they really don’t like strong shareholder lawsuits that specify failures in the Board of Directors’ due care and diligence. If companies choose not to comply, then shareholders will have a very durable suit when they sue for damages.
The SEC can fine the company and sanction board members. And public sentiment may shift even more negatively, as news outlets will clearly cover such aspects in their reporting of incidents.
It would not surprise me if companies may try to small liberties in the interpretation of when they realized an incident was ‘material’. Taking an extra day might go under the radar, but that is still a tremendous gain for investors who are often shut out from such events for long periods of time. In fact, many data breaches and cyber-attacks are revealed by security researchers or customers first. Only then do companies feel compelled to make a public announcement.
Anything more than a day will probably be scrutinized. It would be hard for a company to claim that they didn’t believe it was material at a point when everyone is on red alert, they called in major forensic and incident vendors, production is stopped, millions of sensitive customer records are on the darknet, or their customer support boards are lit up like a Christmas tree on fire. Those will be the details that are brought up in the lawsuits and SEC investigation.
So overall, the 4-day notification rule is reasonable.
I believe all these requirements will force transparency for incidents, commitment to cybersecurity risk management, and board responsibility/expertise!
Ironically, many of the companies who will voice opposition will likely also take advantage of such public data to understand the security posture and board expertise when they evaluate business partnerships, M&A deals, define supplier requirements, and make vendor selections. Customers, investors, insurance providers, and potential business partners will want to know if a company they are financially tied to, has a mature cybersecurity program that is overseen by savvy board members.
The ripples of this SEC requirement will drive significant and fundament improvements to cybersecurity, that help everyone!
SEC Press Release: https://www.sec.gov/news/press-release/2023-139