In order to ensure prompt disclosure of cybersecurity incidents by public companies, the US Securities and Exchange Commission (SEC) has implemented a new rule that requires companies to report “material cybersecurity incidents” within four days. The rule allows for potential delays in disclosure by a US attorney general if there is a substantial risk to national security or public safety. While this new regulation serves as a strict guideline for reporting cyberattacks, it is slightly less restrictive than the three-day deadline established by the EU’s General Data Protection Regulation (GDPR).
This decision follows the criticism faced by Microsoft for taking several weeks to confirm an attack against its Outlook email service and other online platforms. The delay in providing information about the impact of the attack was troubling to cybersecurity experts who emphasized the importance of timely and transparent disclosure. Jake Williams, a cybersecurity researcher and former NSA hacker, stated, “We really have no way to measure the impact [of the attack] if Microsoft doesn’t provide that info.”
The focus of the SEC’s rule appears to be on protecting investors, as SEC Chair Gary Gensler explained, “Currently, many public companies provide cybersecurity disclosure to investors… I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.” The SEC aims to enhance the quality and usefulness of cybersecurity disclosure for investors.
However, technology companies have expressed concerns and opposition to the SEC’s rules since they were initially announced last year. As a result, a delay clause was included to address these concerns. The Information Technology Industry Council argued that the four-day deadline may be too short, as companies may not have gathered sufficient information about the cyberattack within that timeframe.
The implementation of this rule reflects the growing importance of cybersecurity in today’s digital landscape. Cyberattacks have become increasingly sophisticated and damaging, impacting not only companies but also their customers and stakeholders. Timely reporting of cybersecurity incidents is crucial to mitigating risk and ensuring appropriate measures are taken to protect sensitive data and prevent further attacks.
The SEC’s action aligns with global efforts to address cybersecurity concerns, such as the GDPR in the European Union. The GDPR sets a more stringent three-day deadline for reporting data breaches. The SEC’s four-day deadline is a step towards aligning with international standards while accommodating the complexities and challenges faced by public companies dealing with cyber threats.
Prominent technology companies have been at the forefront of this discussion, urging regulators to consider the unique characteristics and dynamics of cyberattacks. They argue that the severity and impact of these incidents may not be fully understood within four days, emphasizing the need for flexibility in reporting timeframes. Balancing the need for immediate disclosure with the necessity of comprehensive and accurate information is a complex challenge that regulators and companies must address collectively.
The SEC’s rule provides a framework for companies to reassess their cybersecurity protocols, incident response plans, and communication strategies. It emphasizes the importance of proactive measures and continuous monitoring to identify and mitigate cyber threats promptly. By setting clear expectations for disclosure, the rule encourages transparency and accountability in the cybersecurity landscape.
Public companies will need to review their existing cybersecurity policies and procedures to ensure compliance with the SEC’s four-day deadline. They may need to strengthen their incident response capabilities, enhance their cybersecurity awareness programs, and invest in advanced threat detection and prevention technologies. These efforts will help build resilient and secure organizations that can withstand and effectively respond to cyberattacks.
Furthermore, the SEC’s rule highlights the role of collaboration between the public and private sectors in addressing cybersecurity challenges. Effective communication and information sharing between companies, regulators, and law enforcement agencies are critical to combating cyber threats at a national and global level. By fostering a culture of cooperation, public and private entities can pool their resources, expertise, and intelligence to stay one step ahead of cybercriminals.
In conclusion, the US SEC’s four-day deadline for reporting “material cybersecurity incidents” is a significant step towards enhancing cybersecurity disclosure and protection for investors. While companies have expressed concerns about the short timeframe, the rule reflects the urgency of addressing cyber threats in today’s digital landscape. By aligning with global standards and emphasizing transparency, the SEC aims to ensure that investors are well-informed and companies are held accountable for their cybersecurity practices.
