The US Securities and Exchange Commission (SEC) has adopted new rules requiring publicly-listed firms to disclose serious cybersecurity incidents within four days. While well-intentioned, these rules have raised concerns among some firms who feel they are being “micromanaged” and argue that the rules could potentially assist attackers. Starting from December 2023, listed firms are required to report details about “material” cyberattacks, including the incident’s nature, scope, timing, and its impact on the registrant. However, determining the material impact of a cyber attack can be challenging in the early stages, as the theft of data is not as obvious as the theft of a physical object. It often takes longer than four days to accurately determine the data that may have been breached. Rushing to meet the reporting deadline may lead to incorrect or incomplete information being shared with authorities, partners, employees, and customers, further damaging the company’s brand and relationships. Additionally, the rush to announce a cyberattack may result in the disclosure of previously undisclosed vulnerabilities, potentially increasing the risk of further attacks. While enhancing transparency and benefiting the general public, these new rules also create immediate challenges for firms in the aftermath of an attack.
Key points:
1. The US SEC has introduced new rules requiring publicly-listed firms to disclose serious cybersecurity incidents within four days.
2. Firms are concerned about being “micromanaged” and argue that the rules could assist attackers.
3. Starting from December 2023, listed firms must report details about the nature, scope, timing, and impact of cyberattacks.
4. Determining the material impact of a cyber attack can be challenging in the early stages, as data theft is not as obvious as physical theft.
5. Rushing to meet reporting deadlines may lead to incorrect or incomplete information being shared, damaging the company’s reputation and relationships.