A set of amended rules recently proposed by the U.S. Securities and Exchange Commission (SEC) would require publicly traded companies to disclose security incidents within four days after they have been discovered.
The SEC said that its proposed mandate represents an effort to better standardize the disclosure process, while also giving investors more insight into companies’ risk management abilities and the security policies that they have in place. Under the amendments, companies would need to disclose cybersecurity incidents as part of a Form 8-K filing, typically reserved for companies to announce major events that shareholders should know about. Many companies do already disclose cybersecurity incidents to their investors through Form 8-K reports, said SEC Chair Gary Gensler; however, there is no requirement that mandates that they do so in a consistent or timely manner.
“I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” said Gensler. “I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting.”
The proposed amendments, which have been in the works since February when the SEC first discussed the feasibility of a 48-hour incident reporting mandate, would also extend beyond case-by-case incident reporting: Companies would additionally be required to give periodic updates on previously reported security incidents, for instance. They would also need to occasionally give updates reflecting how they are implementing various security measures, including their policies for managing security risks, how they implement various security practices and the role of the board of directors and management in assessing risk and overseeing security procedures. The SEC said it will be taking comments on the proposed security incident reporting amendments until May 8.
Casey Ellis, CTO and founder with Bugcrowd, said the proposal is a “significant development” because the SEC is recognizing the direct impact a company's cybersecurity posture can have on its value.
“More importantly, the recommendation refocuses their advice on addressing breaches as a ‘when, not if’ matter, promoting transparency rather than avoidance,” said Ellis. “In many ways, this reflects what we've seen from firms and organizations who have made vulnerability disclosure and transparency a standard, and are now regarded as the most secure, trustworthy, and valuable in the market."
The proposed requirements join a number of mandates being mulled over by lawmakers and government agencies, which seek to clarify the incident reporting deadlines for companies hit by cyberattacks. These include the Strengthening American Cybersecurity Act, a bill that recently passed through the Senate that would require critical infrastructure owners and operators to report "substantial" cyber incidents to the U.S. government within a 72-hour timeframe, and a rule approved by the Federal Deposit Insurance Corporation (FDIC) in November that required banks to notify regulators of security incidents within 36 hours.
Dr. Francis Gaffney, director of threat intelligence and response with Mimecast, said that companies have historically been reluctant to report cyberattacks, due to concerns that it would damage their reputation or scare off investors. However, security incident reporting is critical for helping both government agencies and the security industry better understand how security threats are playing out and how to better defend against them, he said.
“Lots of nations want to have better clarity about what’s going on, whether it’s a ransomware attack or otherwise,” said Gaffney. “Incident reporting is actually helping others, and I think these mandates are positive and not meant in a punitive way.”