Publicly traded companies are now required to disclose “material” cybersecurity incidents to the U.S. Securities and Exchange Commission, after the new agency rule went into effect Monday.
While the SEC’s rule is aimed at providing investors with information on potential risks to replace the inconsistent disclosures of major incidents, the controversial rulemaking has garnered criticism from industry, Republican lawmakers and some cybersecurity experts.
The implementation of the rule comes at a time when there are few breach reporting requirements, a fact that largely leaves government and policymakers without basic information on the current landscape.
However, critics of the rule have levied myriad complaints, including that the disclosure time is too quick, such information could potentially endanger national security, it is duplicative of existing regulations, and — following the SEC’s lawsuit against SolarWinds and its former chief information security officer for fraud — it places more liability pressure on CISOs.
“The Commission determined that new rules would provide investors with the more timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions,” Erik Gerding, director of the division of corporation finance at the SEC, said in a statement.
Concerns around the ruling also focused on a potential duplicate reporting regulatory regime, as the Cybersecurity and Infrastructure Security Agency is undergoing a rulemaking that would require critical infrastructure owners and operators to report major cyber incidents. Mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the law requires owners to report significant cyber breaches to CISA within 72 hours.
That duplication was called out in a November joint resolution to overturn the SEC ruling from Rep. Andrew Garbarino, R-N.Y., and a companion bill from Sen. Thom Tillis, R-N.C.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Garbarino said in a statement at the time. “CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities.”
CISA’s CIRCIA law applies to incidents that have a substantial loss or disruption to critical infrastructure owners and operators, while the SEC rule applies to publicly traded companies. Additionally, there is no public disclosure requirement under CIRCIA for individual incidents. Other experts have noted that the SEC ruling complements rather than conflicts with CISA’s ruling.
“Until the cost of bad outcomes becomes higher than the cost of investing in cybersecurity, the market will not reward different behavior. Transparency is a critical first step,” Maia Hamin, associate director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab, wrote at the time.
In his remarks, Gerding also aimed to “address a potential misconception”: that the SEC is not trying to prescribe cybersecurity best practices or defensive strategies.
“Public companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances,” he said. “Investors have indicated, however, that they need consistent and comparable disclosures in order to evaluate how successfully public companies are doing so.”
The new ruling has two parts: companies have to report to the SEC within four business days if a “material” hack occurs, and they also have to create annual reports disclosing how they manage cybersecurity.
When initially proposed, the rulemaking drew concerns that malicious hackers would use any information out of the disclosures to engage in further attacks. However, Gerding said that filings do not have to disclose technical information or response plans in detail that could harm any remediation efforts.
Another concern raised by some was regarding potential national security risks stemming from disclosures. The final ruling allows for a written notification by the U.S. Attorney General if a public disclosure of an incident is determined to pose “a substantial risk to national security or public safety.”
However, it’s unlikely that this method will be used often. Guidance issued by the Department of Justice last week said that in many circumstances, disclosures of incidents “provides an overall benefit for investors, public safety, and national security.”
The potential considerations for holding off a disclosure form is if an attack has a technique or vulnerability that does not have a patch or an available mitigation, if the breach occurred on a system that holds sensitive government records, or if disclosure could harm remediation for a critical infrastructure organization, the guidance notes.
On the liability front, Patrick Joyce, resident CISO at the cybersecurity firm Proofpoint, said in a statement that “the CISO role has never been easy, and it looks a lot less appealing when you add liability and criminal responsibility to the high pressure, the ‘always-on’ hours, and the stress of the escalating cyber threat environment.”
“The SEC rule, with its new cyber incident disclosure and reporting requirements, will likely intensify those concerns and send CISOs clamoring for Directors & Officers insurance,” Joyce said.
Nick Sanna, founder of the FAIR Institute and president of Safe Security, said in a statement that companies that will file a disclosure should consider “the defensibility, transparency and documentation of their notifications” to the SEC, advocating for the FAIR materiality assessment model as one way to measure material risk.
For publicly traded critical infrastructure organizations, however, cyberattacks are “very likely material, and that means the four-day countdown enforced by the SEC could start immediately upon discovery,” Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, said in an emailed statement. Any impacts to critical infrastructure such as manufacturing, the power grid, oil refineries or health care systems could result in a major impact to commerce as well as public safety or the environment, he said.
“Based on my experience, these OT systems, which are every bit as vulnerable, are not as well protected thanks to years of inattention,” Capdevielle said. “Public companies that manage OT and IoT must be prepared to respond quickly if and when those systems are compromised in a cyberattack.”