Public companies must now disclose breaches within 4 days

Public organisations in the US impacted by a cyberattack will now have to disclose it within four days…with some caveats attached. On Wednesday, new rules were approved by the US Securities and Exchange Commission (SEC). These rules mean that publicly traded companies will need to reveal said attack details in cases where it had a “material impact” on their finances.

From the SEC press release:

The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Disclosures of a breach can be held off in cases where the US Attorney general decides that such an action would pose a risk to national security or public safety. Otherwise, the new rules regarding the four day time limit will apply:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

That’s not all. Registrants will also have to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents”.

Both management and the board of directors will also have to explain their oversight of potential risks and threats, all required in the organisation’s annual report.

This all sounds like a good idea. However, some folks believe it may help people doing the attacking more than it potentially hinders them. SEC commissioner Hester Pierce, who voted against the new rules, is not impressed as per his comments in Security Week.

He believes the new rules could end up providing attackers with a kind of road map of potential targets. New filings will continually give them updates on how the company is coping with their attack. They could then plan new strategies, or other groups watching the chaos unfold could swoop in to cause more problems for the victim.

While this seems unlikely, it’s probably worth thinking about how the updates are worded just to be on the safe side. As Security Week notes, these concerns are included in the SEC’s document, but ultimately the SEC considered their inclusion to be justified.

For the world of business, the ball is now in your court. You have four days to pass it back.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.