Skip to content

SEC demands four-day disclosure limit for cybersecurity breaches – Naked Security

Last week, the US Securities and Exchange Commission (SEC) announced new rules regarding cybersecurity breach disclosures for individuals and companies under its regulatory authority. The SEC was established during the Great Depression in the 1930s to prevent unregulated speculation that led to the infamous Wall Street crash of 1929. Its mission is to protect investors, maintain fair markets, and facilitate capital formation. Companies offering shares to the public must comply with SEC regulations to provide investors with protection against misleading claims and misrepresentation of risks.

In today’s online world, cybersecurity breaches, such as ransomware attacks, can have severe and long-lasting effects on a company’s value. Ransomware attacks often involve cybercriminals stealing sensitive data, including employee and customer information, and encrypting files, leaving companies in a digital standstill. These attacks put companies in a double-play cybersecurity drama, where they not only lose access to their own files but also face potential legal and reputational consequences if they refuse to pay the ransom.

Ransomware attacks can unfold in different ways. Type A attacks involve locking up files, and only the criminals have the decryption key. Paying the extortion fee promises the return of the key and the criminals’ silence about the attack. Type B attacks involve copying files, and the criminals threaten to leak or sell the stolen data. Paying the ransom ensures the data’s deletion and protects the organization from lawsuits and reputational damage. Some attacks combine both types, presenting organizations with complex challenges.

Determining when a ransomware attack should be considered a notifiable breach has been a challenge. If a Type A attack occurs, but no evidence suggests data exfiltration, and the organization restores its systems quickly, should it be required to disclose the incident? Similarly, if a Type B attack occurs and the ransom is paid, can the organization define it as not-a-breach since the data was apparently unbreached? Furthermore, should organizations disclose all cyberblackmail payments, even when not legally required?

While the SEC’s recent announcement provides guidelines for disclosure, it lacks detailed information on specific scenarios. The rules require registrants to disclose any material cybersecurity incidents, describe their nature and impact, and submit the disclosure within four business days of determining the incident’s materiality. However, it allows for delays if immediate disclosure poses a risk to national security or public safety.

The key points to consider are: should paying off cyberextortionists be considered a material impact, and what are the guidelines for the scale of the attack? If a Type A ransomware attack occurs, what is the threshold for determining a material impact? Organizations need clarity on these matters to ensure accurate and appropriate disclosure.

Leave a Reply

Your email address will not be published. Required fields are marked *