On Wednesday, the U.S. Securities and Exchange Commission (SEC) approved new regulations that impose requirements on publicly traded companies to disclose details of a cyber attack within four days of identifying its “material” impact on their financial situation. This marks a significant change in how companies are expected to disclose cybersecurity breaches.
SEC chair Gary Gensler highlighted that incidents like a factory fire or a cybersecurity breach with millions of compromised files can both have material implications for investors. While many public companies currently provide cybersecurity disclosures, Gensler believes that a more consistent, comparable, and decision-useful approach to such disclosures would benefit both companies and investors.
Disclose specific details about the nature, scope, and timing of the cyber attack
Under the new rules, companies are obligated to disclose specific details about the nature, scope, and timing of the cyber attack, as well as its impact. However, there is a provision to delay this disclosure for an additional period of up to 60 days if revealing such specifics could pose a significant risk to national security or public safety.
In addition to the immediate disclosure requirements, companies must also provide an annual description of their methods and strategies for assessing, identifying, and managing material risks from cybersecurity threats. They must detail the material effects or risks resulting from such incidents and share information about any ongoing or completed remediation efforts. These measures are intended to improve transparency and accountability in cybersecurity reporting among publicly traded companies.
Determination is crucial for safeguarding shareholders’ interests
Saket Modi, the CEO of Safe Security, emphasized the significance of the term “material” in the context of the new SEC guidelines. He pointed out that many organizations are not adequately prepared to comply with these guidelines because they struggle to determine what constitutes materiality. This determination is crucial for safeguarding shareholders’ interests, yet many companies lack the necessary systems to assess risk effectively at both broad and granular levels.
However, the rules explicitly state that specific technical information about a company’s planned response to a cyber attack, its cybersecurity systems, related networks, and potential system vulnerabilities need not be disclosed in great detail if doing so would hinder the company’s response or remediation efforts.
Enhance transparency regarding the cybersecurity threats
The policy, which was initially proposed in March 2022, aims to enhance transparency regarding the cybersecurity threats faced by U.S. companies, particularly from cybercrime and nation-state actors. It seeks to address gaps in cybersecurity defense and disclosure practices, ultimately strengthening systems against data theft and unauthorized intrusions.
Recent months have seen over 500 companies falling victim to a cyber attack campaign orchestrated by the Cl0p ransomware gang. These threat actors have exploited critical vulnerabilities in widely used enterprise software, using new methods to exfiltrate data.
Amit Yoran, the CEO and Chairman of Tenable praised the new rules on cyber risk management and incident disclosure, stating that they are an important step toward greater transparency and accountability in the business world.