SEC Proposal Would Impose Stricter Timeline for Public Companies Reporting Cyberattacks

A U.S. Securities and Exchange Commission (SEC) proposal would require public companies to report data breaches and other cybersecurity incidents within four days of discovery.

According to newly proposed amendments to existing rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures and the measures taken to identify and manage cybersecurity risks. The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

Gary Gensler is SEC chair.

SEC’s Gary Gensler

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” he said. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner.”

Not All Cyberattacks are Equal

Joseph Carson is chief security scientist and advisory CISO at Delinea. He said the SEC proposal reinforces the importance of being incident response ready. It also emphasizes a solid backup and recovery strategy.

Delinea’s Joseph Carson

“The proposals, however, appear to treat data breaches and cybersecurity incidents all equally rather than as risk-based, which is a big surprise,” he said. “We know that the impact and severity of data breaches and cybersecurity incidents can vary significantly depending on the scale and type of data impacted. Organizations are really going to need to ramp up their incident response plans to be incident response ready as many organizations even after four days of discovering a data breach are still trying to identify the impact. So reporting an incident at the same time will require quick incident response capabilities.”

Post-incident response and reporting are critically important, Carson said. And when security controls fail to prevent attacks, businesses must look to the incident response and recovery capabilities to get the business back and running.

“In addition to incident response, a strong backup strategy that reduces risks from ransomware combined with a solid privileged access security solution and use of multifactor authentication (MFA) wherever and whenever possible will make it more difficult for attackers to be successful in the future,” he said.

Good Move by SEC

Ray Kelly is fellow at NTT Application Security. He said the SEC proposal is a good move to standardize breach reporting and procedures for publicly traded companies and hold them accountable.

WhiteHat Security’s Ray Kelly

“The current policies – which do not specify a timeframe to report cybersecurity incidents to the public – have essentially allowed companies to disclose this critical information on their own merit, which could affect stock price or mergers and acquisitions,” he said.

Casey Ellis is Bugcrowd‘s founder and CTO. He said the SEC proposal is …