A new Securities and Exchange Commission (SEC) rule that requires companies to report a breach within four days of determining a material incident goes into effect today, and the industry has responded positively to a last-minute change that does not require companies to file the technical details of a breach.
In a blog post published Dec. 14, Erik Gerding, director of the SEC’s Division of Corporation Finance, clarified that in the final version of the rules, companies do not need to “disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.”
Gerding said the SEC sought to balance the need for disclosure with the risk that disclosing specific technical information could offer a roadmap that threat actors could exploit in future attacks.
“Public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material,” explained Gerding. “The deadline is not four business days after the incident occurred or is discovered. This timing recognizes that, in many cases, a company will be unable to determine materiality the same day the incident is discovered.”
It would be a mistake to think the SEC has any interest in becoming a cybersecurity watchdog,” said John Gunn, chief executive officer at Token.
“The update is important because it allows victim companies to focus on the financial impact of the incident and intent of the new SEC regulations, instead of trying to explain the minutia of the attacker’s methods, which the victim likely doesn’t know in the first four days anyway,” said Gunn.
Morgan Wright, chief security advisor at SentinelOne, added that the revised SEC rules show the complexity and reality of modern cybersecurity. Wright said while this appears to be in line with other disclosure requirements, [such as for bankruptcy], it’s still dependent on when the businesses covered by this determines a breach to cross the threshold of being “material.”
However, Wright said publicly disclosing a breach and filing a notification under the regulation when it becomes material is unavoidable.
“Investors have a right to know,” said Wright. “At some point, companies can expect information about disclosure to become public knowledge. The regulation shows the SEC was listening to the concerns of the market. While not perfect, and no regulation ever is, it reduces the need to provide technical information that would only embolden additional attacks and brings back some sanity to the process from what was originally proposed.”
Patrick "Pat" Arvidson, chief strategist/evangelist at Interpres Security, said the adjustments made to the reporting guidelines relative to the new SEC regulations that went into effect on material breaches are not unexpected.
“Other countries with mandated reporting allow for the same exclusions and exceptions, with follow-on reporting as information is known,” said Arvidson.
Anurag Gurtu, chief product officer at StrikeReady, said the clarifications balance the need for disclosure against the risk that revealing specific technical details could aid future cyberattacks. Gurtu added that companies are required to report material cyber incidents to the SEC within four business days, but the initial notification doesn't need to contain complete incident details, further information can be disclosed subsequently.
“Changes in annual disclosures have also been made to avoid undue pressure on companies,” said Gurtu. “Notably, requirements around disclosing board members' cybersecurity expertise have been removed. This change addresses concerns that such a disclosure might lead to companies prioritizing board expertise over other crucial cybersecurity investments. Overall, these clarifications and the new rule aim to enhance transparency in cyber incident reporting while balancing the need for public disclosure against the risks of providing too much technical detail that could be exploited by threat actors.”
John Morello, co-founder and CTO at Gutsy, added that this accommodation offers some additional flexibility in the disclosure process, but puts the U.S. Attorney General in a potentially politically-charged situation.
“It's often hard to determine the degree of severity early in an incident, especially if the bar is as high as risk to national security, so it's not clear how frequently the accommodation could even be utilized,” said Morello.
George Gerchow, CSO and SVP of IT at Sumo Logic and faculty at IANS Research, said ultimately, we still don’t have a clear definition of what we mean by “material.” While he liked the idea of the accommodation, he still thought that there were some gray areas and more concrete clarification needed.
“Gray as in there is zero guidance on what a material impact means," said Gerchow. "Every event or incident comes at a cost and was obviously something that disrupted the company. So, what exactly is material impact? If you leave to the discretion of the company you may or may not get an 8-K. There needs to be better guidance around it such as ‘was data exfiltrated or not and, if so, what kind?’"