Some companies will be dealing with big changes in the coming weeks, as the Securities and Exchange Commission (SEC) has decided that public companies must now report cybersecurity breaches within just four days. This will be a major change for those outside of the healthcare and critical infrastructure industries, given that there was previously not much in the way of immediate incident disclosure requirements.
The reporting rules do only apply to cybersecurity breaches that the company expects to have a “material impact” that investors should know about, however, and there is some leeway in terms of establishing that impact before being required to make the incident disclosure. And the disclosure might also be avoided if there is a “substantial risk” of a national security or public safety issue attached to it.
SEC establishes short window for incident disclosures
The new incident disclosure rules may catch some companies unaware, particularly smaller businesses. With average detection and remediation times still approaching one year, some are pointing out that four days is an unrealistic demand during a period of cybersecurity breaches in which the attacker may still be dwelling on the network.
The SEC’s intent is likely to address a largely unregulated incident disclosure landscape that often sees the public only becoming aware of personal information compromise months after the fact, and the full picture not emerging until weeks or months after that. But there are legitimate concerns about disclosure windows that are too short for organizations to realistically handle, not the least of which is even greater inaccuracy in the information initially provided to the public.
Ultimately, the new rules do bring some clarity to a landscape that is largely without federal regulation and requires organizations to keep up with an ever-changing patchwork of state laws. Impacted companies are also being required to improve their annual reporting of how risk from cybersecurity breaches is managed, providing details on their detection and deterrence methods.
New requirements for cybersecurity breaches roll out in late August
Organizations do not necessarily have much time to prepare for compliance with the new SEC rules, with many subject to the new incident disclosure terms as next month comes to a close. Some smaller businesses will be extended up to 180 more days, but by the end of 2023 all public companies should be prepared to almost immediately disclose material cybersecurity breaches. December 15 of this year is also when the new annual reporting requirements go into effect.
Companies that currently do not have a well-developed cyber governance system, or those that do not have one at all, will definitely feel the strain. There is certainly a fair point to be made that it is long overdue for all companies to take the potential damage of cybersecurity breaches seriously, but many will be scrambling to catch up with years of lost time in just a few months.
The move should only be taking the most unaware by surprise, however, given that the SEC has been signaling a decision of this nature since 2022. Use of federal regulatory agencies to spur quick improvements to cybersecurity has also been a hallmark of the Biden administration (and the SEC vote in favor of this new move was split along party lines).