SEC disclosure rule for material cybersecurity incidents went into effect


General



Publicly traded companies are now required to disclose “material” cybersecurity incidents to the U.S. Securities and Exchange Commission, after the new agency rule went into effect recently.




While the SEC’s rule is aimed at providing investors with information on potential risks to replace the inconsistent disclosures of major incidents, the controversial rule-making has garnered criticism from industry, Republican lawmakers and some cybersecurity experts.




The implementation of the rule comes at a time when there are few breach reporting requirements, a fact that largely leaves government and policymakers without basic information on the current landscape.




However, critics of the rule have levied myriad complaints, including that the disclosure time is too quick, such information could potentially endanger national security, it is duplicative of existing regulations, and — following the SEC’s lawsuit against SolarWinds and its former chief information security officer for fraud — it places more liability pressure on CISOs.



“The Commission determined that new rules would provide investors with the more timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions,” Erik Gerding, director of the division of corporation finance at the SEC, said in a statement.




Concerns around the ruling also focused on a potential duplicate reporting regulatory regime, as the Cybersecurity and Infrastructure Security Agency is undergoing a rule-making that would require critical infrastructure owners and operators to report major cyber incidents. Mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the law requires owners to report significant cyber breaches to CISA within 72 hours.




That duplication was called out in a November joint resolution to overturn the SEC ruling from Rep. Andrew Garbarino, R-N.Y., and a companion bill from Sen. Thom Tillis, R-N.C.




“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Garbarino said in a statement at the time. “CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities.”




CISA’s CIRCIA law applies to incidents that have a substantial loss or disruption to critical infrastructure owners and operators, while the SEC rule applies to publicly traded companies. Additionally, there is no public disclosure requirement under CIRCIA for individual incidents. Other experts have noted that the SEC ruling complements rather than conflicts with CISA’s ruling.



“Until the cost of bad outcomes becomes higher than the cost of investing in cybersecurity, the market will not reward different behavior. Transparency is a critical first step,” Maia Hamin, associate director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab, wrote at the time.




In his remarks, Gerding also aimed to “address a potential misconception”: that the SEC is not trying to prescribe cybersecurity best practices or defensive strategies.


“Public companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances,” he said. “Investors have indicated, however, that they need consistent and comparable disclosures in order to evaluate how successfully public companies are doing so.”




The new ruling has two parts: companies have to report to the SEC within four business days if a “material” hack occurs, and they also have to create annual reports disclosing how they manage cybersecurity.




When initially proposed, the rule-making drew concerns that malicious hackers would use any information out of the disclosures to engage in further attacks. However, Gerding said that filings do not have to disclose technical information or response plans in detail that could harm any remediation efforts.