The Securities and Exchange Commission (SEC) this week pushed back its timeline for finalizing new regulations that would require public companies to notify the agency within four days of a cybersecurity breach.
The SEC disclosed the update in its spring 2023 unified agenda of regulatory and deregulatory actions. Financial and cybersecurity observers were expecting the rule to be finalized as early as May, but the notice indicates that the earliest possible timeframe for a final rule will be in October later this year.
The move comes after industry trade groups like the Information Technology Industry Council (ITI), various cybersecurity vendors, NASDAQ, and public interest groups such as the Electronic Privacy Information Center (EPIC), pushed back on the language of the rules.
In other cases, some groups expressed concerns over the potential duplication of a forthcoming requirement under the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to report critical infrastructure incidents to the Cybersecurity and Infrastructure Security Agency (CISA). As it stands now, the proposed CIRCIA law would require critical infrastructure entities to report a breach in three days, but they would only have to report to CISA.
In a June 14 report, the Atlantic Council said that many of the comments on the SEC’s NPRM around breach notification focus on the short length of the four-day disclosure period and industry concerns that the timeline applies whether or not the incident has been fully contained and remediated. Public companies would have to report a breach in a Form 8-K within four days once they have determined that an incident is material.
Rapid7 was quoted in the Atlantic Council report saying that public disclosure of an “unmitigated or uncontained cyber incident will likely lead to attacker behaviors that cause additional harm to investors, including attack escalation.” This would include more aggressive exfiltration of data and anti-forensic activity such as deleting activity logs. In a comment submitted to the SEC on the proposed rule last year, Rapid7 also warned that it could lead to copycat attacks by other malicious actors seeking to exploit the same vulnerability. The cybersecurity vendor said a 30-day period should suffice to investigate and remediate the vast majority of cyber incidents.
A representative from Rapid7 declined further comment when reached by SC Media, stating that a public affairs official was not available today.
Nasdaq said in its public comments that the four-business-day timeframe may interfere with a public company’s primary obligation to remediate a cybersecurity intrusion. They also stated that four days was not enough time to understand the nature and scope of a cybersecurity breach as well as its potential impact. Many other comments included in the Atlantic Council report echo these worries.
EPIC has also raised concerns around consumer privacy in the event of a financial breach. In a June 5 letter to the SEC, the nonprofit asked the agency to further amend the rules to ensure that incident response programs and data breach notifications carried out under the new regs give consumers “the information they need to understand and take any necessary action in response to a breach.”
“The costs associated with the incident response programs and more robust notification regime serve an important forcing function for entities that might otherwise not adequately invest in safeguards on the front end,” wrote EPIC. “And those incentives, in conjunction with aggressive SEC enforcement of the safeguards rule itself and routine independent audits carried out under the proposed rules in the Cybersecurity Audit NPRM, are necessary to raise data security standards across the industry.”
In its recommendations to the SEC, the Atlantic Council concurred with Rapid7 that a 30-day notification period would give companies enough time to respond in most situations following a breach. They also said the SEC should let companies delay a notification when reporting would have a negative effect on national security, as certified by the U.S. Attorney General or CISA. The SEC has actually asked commenters to weigh in on the national security issue.
News of the final rule delay was first reported June 14 by Inside Cybersecurity.