- The Security and Exchange Commission’s rules for disclosure and documentation of cyberattack incidents has come into effect for all public companies
- Businesses are required to disclose any cybersecurity incident deemed material, the incident’s scope, nature, and timing, and its material impact
- Companies also have to reveal processes for assessing, identifying, and managing material risks from threats and the role of the board of directors and management in assessing and managing risk
- Disclosures must be filed within four business days of the event’s discovery, which could increase pressure on cybersecurity teams
The Security and Exchange Commission’s (SEC) rules on cyberattack incident disclosure are now in effect for all public companies. Adopted in July, these rules demand that firms disclose any cybersecurity incident deemed to be material, along with the incident’s scope, nature, and timing, and the material impact. Companies are also required to provide details on processes for assessing, identifying, and managing material risks from these threats, as well as the board of directors’ and management’s role in risk assessment and management.
Significantly, written disclosures must be filed within four business days of the event’s discovery. This tighter timeframe could increase pressure on security teams and even embolden cybercriminals.
Chris Pierson, founder and CEO of cybersecurity firm BlackCloak, notes that the new rules will have a major impact on the role of Chief Information Security Officers (CISOs), emphasizing the need for careful risk analysis. He warns that the new timeframe requirements could be exploited by cyberattackers, who may control the timeline to pressure companies into action.
While some critics have expressed concerns about the pressure caused by regulatory time mandates, the intention behind the timely disclosure rules is to benefit the general public and investors. “People deserve the right to know if their data has been exposed” says Mike Scott, CISO at Immuta, adding that it was the “ethical thing to do”.
Amid the new changes, SEC Enforcement Director Gurbir S. Grewal, stressed the need for transparency and issued a warning against companies attempting to subvert the new guidelines, emphasizing that the government will have “zero tolerance for gamesmanship” when it comes to cybersecurity disclosures.