After much discussion and horse-trading, the Securities and Exchange Commission (SEC) last week finally adopted rules that require all public companies to report cybersecurity breaches within four days. While there have been a number of failed initiatives to get companies to prioritize cybersecurity, the enforcement by the SEC could make a real impact this time. Companies are often tempted to brush breaches under the rug, but this approach leads to negative outcomes for both shareholders and customers. The new notification requirement has the potential to drive institutional change from the board down.
The rules come only a month after SolarWinds announced that the SEC had issued a Wells Notice against their executives, indicating they intend to take action against them for their part in the 2020 breach. So there’s no doubt that the SEC means business when it comes to improving the cybersecurity of public companies.
Following an extensive comment period, many parts of the draft rules were removed to make them more palatable to industry. Gone are the requirements around recording and quantifying security postures, complex concepts of aggregate materiality, and detailed information requests from early-on in a breach response. Overall the final rules deliver a very sensible balance between raising standards and removing onerous red tape.
However, the new rules are not without controversy. The regulations passed 3-2 along party lines. The Republican Commissioner Mark Uyeda expressed concern that the new rules unfairly elevate cybersecurity risks above others of equal importance.
There’s also concern that in many incidents an attacker will still dwell in a network by the time of notification. Dissenting commissioner Hester Pierce said the public information would help hackers better understand the defenses of organizations they sought to attack, saying the rules “seem designed to better meet the needs of would-be hackers.” Tipping off the attacker that they have been identified can make it harder to then lock them out. Planning a remediation to a persistent breach, for example by resetting all users passwords and locking down access points, can take weeks to plan.
However there are now carve-outs and exceptions in the final rules, particularly for national security incidents, which mitigate these risks. And the information required on the 8-K form is not detailed enough to give attackers enough insider knowledge, beyond the fact that a breach has been identified and a response has been ongoing.
The notification deadline only kicks in after determining there’s a material breach – not when the companies first identify a breach. It’s a subtle difference, but it may take days of initial triage analysis before identifying that breaches are material enough to warrant reporting to the SEC. Determining when breaches are material requires scoping the incident and assessing the impact. Many organizations today may struggle to identify the materiality of a breach. But that’s something the SEC should force public companies to improve on. Additionally, the reporting requirements don’t expect the incident to have been fully remediated within four days. Companies in the EU only have three days under GDPR, and in India it’s an extremely brief six hours.
It's not a long report the organizations need to file, and it requires reporting on the nature of the breach and some brief timelines and expected impacts. Companies will have to file a new extension to the existing 8-K form used by the SEC to notify investors of significant events. Other existing sections include items such as “Mine Safety – Reporting of Shutdowns and Patterns of Violations” and “Bankruptcy or Receivership.” It’s not exclusive to cyber-security.
The new rules will take effect in December or 30 days after publication in the Federal Register. I am not expecting an outcry once they are implemented, but I do hope to see a continual improvement in cybersecurity standards as a result.
Chris Doman, co-founder and CTO, Cado Security