Bad news usually travels fast, but under a newly approved Securities and Exchange Commission regimen, companies will have to be even speedier about announcing data breaches.
In a final rule approved last Wednesday, the regulator said that publicly traded companies must now disclose details about cybersecurity incidents within four business days of determining that the incident is “material.”
The requirements–which include describing the incident’s “nature, scope, and timing”—are meant to standardize the degree of information the public can expect about attacks that put organizations’ finances and reputations at risk, SEC Chair Gary Gensler said.
“Currently, many public companies provide cybersecurity disclosure to investors,” Gensler said in a statement. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Along with publicizing the hacks themselves, SEC registrants must also “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats,” according to the regulator.
While some stakeholders worried that the disclosed information could give bad actors fuel for their next strikes, that information disclosed under the proposed reporting process could provide a roadmap for future attacksSEC Commissioner Jaime Lizárraga said the final version “does not require specific, technical information that would serve that harmful purpose.” Instead, he noted, it’s focused on quantifying the material impacts on the targeted business and its customers.
“More timely reporting of cyber incidents can serve as an alert to companies in the same sector that malign actors are launching cyber-attacks. Such companies could have more time to raise their cyber defenses and to mitigate any potential damage,” Lizárraga said in a statement.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The SEC first floated the rules in 2022 in response to the “ongoing and escalating” risk that cybersecurity attacks pose to public companies and investors—especially as more companies digitize their platforms, employees increasingly work from home, and bad actors see chances to make more money off exploiting vulnerabilities. An “increasing dependency on third-party service providers,” especially for IT services, also adds to the threat landscape and furthers the case for standardized reporting, the SEC said in a fact sheet.
The rules also acknowledge that breaches carry a ballooning price tag for the targeted companies. As IT Brew previously reported, a recent IBM study estimated that each data breach costs its victim an average of $4.4 million, and those expenses vary based on factors like how quickly it’s detected, whether law enforcement is involved, and whether the threat is first discovered internally or announced by the hacker. Over the last decade, breaches increased 600 percent, from 28 in 2011 to 188 in 2021.
The rules follow up on guidance the SEC has issued over the last decade that extended preexisting reporting obligations to cyber incidents. However, firms’ application of and adherence to the guidance was so inconsistent that it necessitated more uniform rules, according to the regulator. The rules will take effect 30 days after they’re published in the Federal Register, and the latest that most companies must begin complying with the regime is in December.