Source: heimdalsecurity.com – Author: Madalina Popovici
The U.S. Securities and Exchange Commission (SEC) has approved new rules requiring publicly traded companies to disclose cyberattack details within four days of identifying a “material” impact on their finances, signaling a significant change in breach disclosure practices.
SEC Chair Gary Gensler emphasized the need for consistent, comparable, and decision-useful cybersecurity disclosure to benefit companies and investors.
Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.
Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.
The new obligations mandate that companies disclose the nature, scope, timing, and impact of the cyber attack. However, if sharing such specifics “poses a substantial risk to national security or public safety”, the disclosure can be delayed by up to 60 days.
Additionally, the rules require companies to describe annually their methods for assessing, identifying, and managing cybersecurity risks, as well as the material effects and risks arising from such events. Information about ongoing or completed remediation efforts must also be shared.
Concerns Over ‘Material’ Impact Determination and Disclosure Timelines
While the policy, initially proposed in March 2022, aims to bring more transparency into cybersecurity threats faced by U.S. companies, some experts express concerns that determining “material” impact might be challenging for organizations, as they lack systems to quantify risks adequately.
Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels.
It’s worth noting that the rules do not extend to providing specific, technical information about the company’s planned response, cybersecurity systems, networks, devices, or vulnerabilities that could impede the response or remediation efforts.
While many view the new rules as a positive step toward greater transparency and accountability, some worry about the tight four-day timeframe for disclosure, as it may lead to possibly inaccurate reports, explains THN.
However, it is worth mentioning that other countries have varying timelines for breach reporting, ranging from 24 hours in China and Singapore to 72 hours in the E.U., the U.K., Canada, South Africa, and Australia.
Recent reports revealed that 560 businesses and over 33M individuals have fallen prey to MOVEit attack, orchestrated by the Cl0p ransomware gang. These attacks were fueled by the exploitation of critical flaws in software widely used in enterprise environments and the threat actors behind them used novel exfiltration methods to steal sensitive information.
The Securities and Exchange Commission’s press release is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/new-sec-regulations-us-businesses-must-report-cyberattacks-within-4-days/
Category & Tags: Cybersecurity News – Cybersecurity News
