Starting today, on December 18, public companies operating in the US must comply with a new set of rules requiring them to disclose “material” cyber incidents within 96 hours. The regulation represents a significant upheaval for agencies, many of which have argued that the new rules open them up to more risks and that four days is not enough time to confirm a breach, understand its impact or coordinate alerts.
Regardless, those who don’t comply — whether a new entrant or a decades-old publicly held company — could face significant consequences courtesy of the US Securities and Exchange Commission (SEC).
What do businesses need to know?
In accordance with incoming cyber security disclosure requirements, was first approved by the Securities and Exchange Commission in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC on a specific line item in a Form 8-K report within four business days. According to the regulator, the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more “consistent, comparable and useful way for decision-making” that will benefit both investors and companies.
“Whether a company loses a factory in a fire — or millions of records in a cyber security incident — it can matter to investors,” SEC Chairman Gary Gensler said at the time.
In an 8-K filing, breached organizations must describe the nature, scope, timing and material effects of the incident, including financial and operational. Specifically, the regulation does not require companies to disclose information “regarding the incident recovery status, whether it is ongoing, and whether data has been breached,” as this could jeopardize ongoing recovery efforts.
“This means companies must have the appropriate controls and processes in place to ensure that a materiality determination can be made once a cybersecurity incident is identified,” Jane Norberg, partner in the Securities Enforcement Defense practice at the Washington, D.C.-based law firm. . Arnold & Porter. “Practically speaking, companies will also want to consider having the incident response team in the process chain when making materiality determinations.”
Norberg added, “The rule also includes breaches of registrant information that may be in a third-party system. This means that a company should collect and evaluate information and make materiality determinations based on breaches of third-party systems.”
“I seem to be the person who criticizes the SEC less than everyone else because I think they should be praised for trying to set rules.” Joe Sullivan, former CSO of Uber
Smaller companies, which the SEC defines as companies with a public float of less than $250 million or less than $100 million in annual revenue, will get a 180-day extension before they need to file their Form 8-K disclosing an incident.
There is also an exception to the four-day deadline for larger organizations, a clause added after businesses argued that early disclosure of a cyber vulnerability or incident could hinder ongoing law enforcement investigations. The SEC says disclosure can be delayed if the US attorney general determines that notifying shareholders of the incident “would pose a significant risk to national security or public safety.”
The FBI will be responsible for collecting delay request forms and forwarding viable ones to the Department of Justice.
In addition to the SEC’s new data breach disclosure rules, the regulator has also added a new line item called Item 106 to Regulation SK to be included in a company’s annual Form 10-K filing. This will require businesses to outline their process “for assessing, identifying and managing significant risks from cyber security threats”. Companies must also disclose their management’s ability to assess and manage significant risks from cyber attacks.
What are the consequences if businesses do not comply?
If an organization subject to the SEC’s jurisdiction does not comply with the new rules on cybersecurity disclosures, it can lead to several consequences, the SEC says.
“The SEC has the power to enforce compliance and can take action against organizations that do not comply with the regulations. Some potential consequences include financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny,” Safi Raza, senior director of cybersecurity at Fusion Risk Management, told TechCrunch. “The SEC is unwavering in its commitment to protect investors, making clear that enforcement measures will be implemented to ensure transparency and accountability.”
As demonstrated by the SEC’s recent action against SolarWinds and its chief information security officer (CISO), the regulator’s action could be even more far-reaching.
“In this case, the SEC is seeking civil monetary penalties, disbarment and permanent disqualification against the CISO from serving as an officer or director of a public company based on alleged material misstatements and failure to maintain proper disclosures and controls with respect to SolarWinds cyberattack,” Norberg said.
This controversial case shares similarities with the case against former Uber CSO Joe Sullivan, who in 2022 was found guilty of obstruction of justice and misdemeanor counts of misdemeanor failure to report in connection with a 2014 breach of Uber’s systems. .
In a recent interview with TechCrunch, Sullivan said he welcomes the SEC’s data breach reporting rules, saying, “We can pick apart the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who criticizes the SEC less than everyone else because I think they should be praised for trying to set rules.”
Was there pushback?
Not surprisingly, yes.
Some firms have expressed concern about the short four-day reporting window to determine whether or not an incident is material and then report it to the Securities and Exchange Commission. Until now, many organizations took months to report a breach and did so only after they had completed their investigation.
“The real challenge for companies is to stay up-to-date and on top of all the changing laws and requirements related to cybersecurity hygiene and breaches, and to put in place the appropriate controls, processes and procedures to reduce the risk of this constantly evolving landscape”. Norberg said.
Some organizations have also raised concerns about the SEC’s definition of “material events,” since the regulator has not provided a definition of materiality specifically for cybersecurity events. Instead, the SEC directs companies to apply the longstanding definition of materiality used in securities law, which says: “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it relevant to making an investment decision, or whether it would have significantly changed the set of information available to investors.
Norberg added that there is also concern from businesses that the timing and scope of the information to be disclosed “could give hackers information about the steps the company took.”
In fact, they may have just gone into effect, but hackers have already abused the SEC’s new data breach rules. Earlier this year, the notorious Alphv/BlackCat ransomware group has filed an SEC complaint against one of its victims, MeridianLinkbecause the incident was not reported to the regulator.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and business information, has failed to file the required disclosure pursuant to Item 1.05 of Form 8-K within the prescribed four business days as defined by the new SEC Rules,” read a post on the gang’s dark web leak site.
Matthew Gracey-McMinn, head of threat research at cybersecurity firm Netacea, told TechCrunch that this tactic — adopted by attackers in an attempt to extort extra money from victims — could become a big problem in the future.
“We expect this to become a common practice of most cyberattacks in 2024 and may act as an additional charge alongside or even replace data encryption by ransomware,” Gracey-McMinn said.
