New SEC Rules Require Prompt Disclosure of Cyber Attacks by US Companies
The U.S. [1] [2] [5] Securities and Exchange Commission (SEC) has recently approved new rules that require publicly traded companies to promptly disclose any cyber attacks that could impact their financials within four business days. This has raised concerns within the cybersecurity community [5].
Description
The SEC’s new rules mandate that companies disclose cyber attacks within four business days, providing information about the nature [1], scope [1] [6], timing [1] [6], and impact of the incident [1]. Materiality is defined as information that investors would consider important or that would significantly alter available information [3]. Companies can delay disclosure for up to 60 days if it poses a risk to national security or public safety [1]. Annual disclosure of cybersecurity risk management [2] [3] [4] [6], strategy [1] [3] [6], and governance is also required [4]. The aim is to protect investors and increase transparency [2]. However, experts have expressed concerns about the tight time frame for disclosure [1], as it may lead to inaccurate reports and heightened security risks [1]. Nevertheless, cybersecurity experts welcome these rules as a necessary step to prioritize cybersecurity within organizations [2]. The average cost for organizations to handle breaches has risen to $4.5 million [2], with costs passed on to consumers. The new SEC rule also covers third-party apps [2], as companies increasingly rely on outside cloud services for data management and storage [2]. The final rules will become effective 30 days after publication in the Federal Register [4]. Smaller reporting companies will have an additional 180 days before reporting material incidents on form 8-K [4]. Meeting the new disclosure standards may be challenging for smaller companies with limited resources [4]. The SEC has already taken steps to enforce greater transparency and clarity in companies’ past cybersecurity practices [4], including reaching a settlement with software firm Blackbaud and notifying SolarWinds of possible enforcement action [4]. The adoption of these rules comes 16 months after they were initially proposed [5], giving companies ample time to prepare for compliance [5]. The rules also apply to foreign private issuers [6], who must disclose material cybersecurity incidents on Form 6-K and Form 20-F. The deadlines for these disclosures vary depending on the type of form and the size of the reporting company [6].
Conclusion
The new SEC rules have significant implications for companies and the cybersecurity community. While they aim to protect investors and increase transparency [2], concerns have been raised about the tight time frame for disclosure and the potential for inaccurate reports and heightened security risks. However, experts view these rules as a necessary step to prioritize cybersecurity within organizations [2]. The increasing cost of handling breaches and the reliance on third-party apps highlight the importance of these rules. Smaller companies may face challenges in meeting the new disclosure standards due to limited resources. The SEC’s enforcement actions and the ample time given for compliance indicate a commitment to greater transparency and clarity in cybersecurity practices. Foreign private issuers are also subject to these rules, with varying deadlines for disclosure. Overall, these rules represent a significant step towards addressing the increasing risk of cyber attacks and protecting investors.
References
[1] https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html
[2] https://apnews.com/article/sec-cybersecurity-breach-disclosure-risk-hacking-bb6252463637793bfdc8ace5bfcbe7df
[3] https://www.darkreading.com/edge/sec-adopts-new-rule-on-cybersecurity-incident-disclosure-requirements
[4] https://www.cybersecuritydive.com/news/sec-votes-disclosure-cyber-events/689057/
[5] https://www.law.com/corpcounsel/2023/07/27/many-companies-ill-prepared-to-meet-newly-adopted-sec-cybersecurity-rules/
[6] https://www.journalofaccountancy.com/news/2023/jul/sec-adopts-final-rules-regarding-cybersecurity-disclosures.html