SEC disclosure rule for material cybersecurity incidents went into effect
General
Publicly traded companies are now required to disclose
“material” cybersecurity incidents to the U.S. Securities and Exchange
Commission, after the new agency rule went into effect recently.
While
the SEC’s rule is aimed at providing investors with information on
potential risks to replace the inconsistent disclosures of major
incidents, the controversial rule-making has garnered criticism from
industry, Republican lawmakers and some cybersecurity experts.
The
implementation of the rule comes at a time when there are few breach
reporting requirements, a fact that largely leaves government and
policymakers without basic information on the current landscape.
However,
critics of the rule have levied myriad complaints, including that the
disclosure time is too quick, such information could potentially
endanger national security, it is duplicative of existing regulations,
and — following the SEC’s lawsuit against SolarWinds and its former
chief information security officer for fraud — it places more liability
pressure on CISOs.
“The
Commission determined that new rules would provide investors with the
more timely, consistent, comparable, and decision-useful information
they need to make informed investment and voting decisions,” Erik
Gerding, director of the division of corporation finance at the
SEC, said in a statement.
Concerns
around the ruling also focused on a potential duplicate reporting
regulatory regime, as the Cybersecurity and Infrastructure Security
Agency is undergoing a rule-making that would require critical
infrastructure owners and operators to report major cyber incidents.
Mandated by the Cyber Incident Reporting for Critical Infrastructure Act
of 2022, the law requires owners to report significant cyber breaches
to CISA within 72 hours.
That
duplication was called out in a November joint resolution to overturn
the SEC ruling from Rep. Andrew Garbarino, R-N.Y., and a companion bill
from Sen. Thom Tillis, R-N.C.
“This
cybersecurity disclosure rule is a complete overreach on the part of
the SEC and one that is in direct conflict with congressional intent,”
Garbarino said in a statement at the time. “CISA, as the lead civilian
cybersecurity agency, has been tasked with developing and issuing
regulations for cyber incident reporting as it relates to covered
entities.”
CISA’s
CIRCIA law applies to incidents that have a substantial loss or
disruption to critical infrastructure owners and operators, while the
SEC rule applies to publicly traded companies. Additionally, there is no
public disclosure requirement under CIRCIA for individual
incidents. Other experts have noted that the SEC ruling complements
rather than conflicts with CISA’s ruling.
“Until
the cost of bad outcomes becomes higher than the cost of investing in
cybersecurity, the market will not reward different behavior.
Transparency is a critical first step,” Maia Hamin, associate director
with the Atlantic Council’s Cyber Statecraft Initiative under the
Digital Forensic Research Lab, wrote at the time.
In
his remarks, Gerding also aimed to “address a potential misconception”:
that the SEC is not trying to prescribe cybersecurity best practices or
defensive strategies.
“Public companies have the
flexibility to decide how to address cybersecurity risks and threats
based on their own particular facts and circumstances,” he said.
“Investors have indicated, however, that they need consistent and
comparable disclosures in order to evaluate how successfully public
companies are doing so.”
The
new ruling has two parts: companies have to report to the SEC within
four business days if a “material” hack occurs, and they also have to
create annual reports disclosing how they manage cybersecurity.
When
initially proposed, the rule-making drew concerns that malicious
hackers would use any information out of the disclosures to engage in
further attacks. However, Gerding said that filings do not have to
disclose technical information or response plans in detail that could
harm any remediation efforts.