Public companies will be required to disclose material cybersecurity events within a four-day window, according to newly adopted, tightened reporting rules from the Securities and Exchange Commission (SEC).
That four-day reporting period could keep managed security service providers (MSSPs) and managed service providers (MSPs) on their toes. In some cases, the service providers themselves could be publicly held companies. In other cases, publicly held customers may call on their MSSPs and MSPs to help rapidly document an incident.
Additionally, the reporting requirement could confuse critical infrastructure owners and operators, who must report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within three days. It could also clash with a one-day requirement following a ransom payment.
Reporting Process Detailed
The Wall Street watchdog said in a 3-2 vote that registrants will be required to report a security incident in an 8-K document within four business days and also disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance to better inform investors, the SEC said.
The rules were first proposed more than a year ago. Congress has gone through a number of bills before arriving at the Cyber Incident Reporting Act that served as a key element of the current rules, which are hinged on "material" events. In addition, there’s been some discussion among legislators and cyber leaders on charging fees to entities, including service providers, for failing to report incidents.
According to the SEC, a material event is one that would require the company’s shareholders to consider along with other information when or if making an investment.
The regulations will also require reporting of the following:
- Describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.
- Describe material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Annual report of the board of directors’ oversight of risks from cybersecurity threats.
- Annual report of management’s role and expertise in assessing and managing material risks from cybersecurity threats.
SEC Chair Gary Gensler commented on the new rules:
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Business Community Reacts
Already there’s been some push back from the business community, which has objected to the four-day requirement, arguing that it is unreasonable and that a public disclosure could boomerang on corporations that could be exploited by hackers.
The final rules will become effective 30 days following publication of the release in the Federal Register or likely in December 2023.
Some security providers weighed in on the SEC’s incident reporting rules. For example, Husnain Bajwa, Beyond Identity vice president of product strategy, said:
“The recent SEC ruling is certainly a step in the right direction. Requiring prompt disclosure of data breaches highlights the necessity of proactive accountability that begins long before a breach has occurred especially when they are highly foreseeable.”
Jeffrey Wheatman, Black Kite senior cyber risk evangelist, said private companies will have to take note of the new rules as well:
“This is a challenging process in which there are no current requirements or standards to follow today, and as a result, public organizations will likely be left with questions on how to implement these new regulations as part of their overall cybersecurity strategies…
"Additionally, while this is currently targeted at public companies, private companies should also take note as it will impact the full cybersecurity ecosystem. A private company might work with customers or vendors who will need to comply with these regulations, so they should pay attention to the ruling and start updating their protocols accordingly to take cyber risk seriously.”