News

One of the aims of the new cybersecurity disclosure rules approved by the Securities Exchange Commission (SEC) last month is to give investors better information about the cybersecurity risks associated with public companies. The other objective is to encourage public companies to enhance their cybersecurity and risk posture.

But it appears the Devil is in the details, as concerns swirl over exactly which incidents to report and what details are required when disclosing information. The rules require enterprises to determine when any security incident is material, which is deceptively difficult.

The SEC considers an incident material if it can have a significant impact on the company’s financial position, operation, or relationship with its customers. The new rules include a requirement for a “Form 8-K disclosure of material cybersecurity incidents within four (4) business days of the company’s determination that the cybersecurity incident is material.”

Determining whether an incident is “material” may be more complex than organizations are prepared for. Security incidents look different as time goes by and additional analysis is completed. This means that if a committee looks at a data breach that was only discovered a day earlier, they will likely be making the decision based on incomplete and flawed preliminary data.

This leaves enterprise executives in a predicament. They can choose to report an incident quickly and risk reporting a non-material event, or they can wait for forensic analysis and examination of backup files, risking accusations of failure to disclose in a timely manner.

The SEC’s four-day disclosure timetable is also problematic. Preparing the specifics of an incident for an SEC filing can take longer than four days, as it involves multiple departments such as Security Operations Center (SOC) staff, Legal, and investor relations. Additionally, the CEO and board members may want to review and approve the filing.

Corporate leadership must think carefully about what constitutes a material incident based on factors such as the organization’s verticals, geographies involved, nature of operations, and the type of attackers/attacks the business is likely to attract. Definitions of terms like “data breach” may also vary between security professionals and lawyers.

The SEC has exempted specific, technical information about the registrant’s response to the incident or its cybersecurity systems from the 8-K filing requirement. This exemption is necessary to avoid hindering investigations or providing too much information to potential attackers. However, it may result in companies not providing meaningful information to investors.

These challenges highlight the complexity of implementing the new cybersecurity disclosure rules. Public companies will need to carefully consider incident materiality, disclosure timetables, and the information they provide to investors to meet the SEC’s requirements effectively.

The post New Cybersecurity Disclosure Rules Present Challenges for Public Companies appeared first on satProviders.