A new hack-reporting requirement for publicly traded companies may not be a silver bullet that wards off shadowy data breaches, after all. Some stakeholders say the rules aimed at transparency could actually lead to extra busy work for IT professionals, inducing reporting fatigue and attracting investor lawsuits.
As IT Brew previously reported, publicly traded companies must now disclose details about cybersecurity incidents within four business days of determining that the incident is “material.”
The requirements—which include describing the incident’s “nature, scope, and timing”—are meant to standardize the degree of information the public can expect about attacks that put organizations’ finances and reputations at risk, SEC Chair Gary Gensler said when announcing the rules on July 26.
However, the rules generated controversy both before and after they were finalized, including concerns that the reports could force the disclosure of sensitive information and give bad actors a guide for planning attacks in the future. The way the final rules are written could also cause headaches for companies trying to comply with them, according to Tara Wisniewski, an executive vice president at cybersecurity certification nonprofit ISC(2).
For example, the SEC failed to adequately define what constitutes a material event that would trigger a Form 8-K report within the short timeframe, she said. Without further guidance, companies may not know whether they’re reporting too few or too many incidents, wasting valuable time in the compliance process, she added.
“The ambiguity will lead to a lot more work for cyber professionals that really distracts them,” Wisniewski told IT Brew. “We want to make sure we’re avoiding a checklist mentality because a checklist exercise actually takes cyber professionals away from their core job, which is to protect their organizations.”
US companies will experience a learning curve as they work through the reporting requirements and start filing the disclosures in real time, Dan Felz, an Alston & Bird attorney who specializes in cyber compliance, said. The latest that most companies must begin complying with the regime is in December.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“This first year is probably just going to be figuring out the ambiguities around, are we obligated to disclose it?” Felz said.
Firms will have to navigate the added pressure of preparing reports on rapidly developing situations with the intended audience of a hawk-eyed markets regulator and nervous investors.
SEC Commissioner Hester M. Peirce, one of two officials who voted against the rules, noted this pressure in her dissent, saying that companies might report minor incidents “for fear of later SEC admonishment” or spook investors with “necessarily vague disclosures” when “a complete assessment would have sparked less concern.”
“The things you know Monday can be vastly different than the things you know Wednesday,” Felz said. “Trying to figure out what happened is fast and furious enough.”
Dave Brown, an Alston & Bird attorney who focuses on securities regulation and disclosures, agreed that assessing the aftermath of a hack and quickly translating it into an 8-K report will be a learned art form.
“When you’re getting information on a cybersecurity incident, oftentimes that information is incomplete. So, how are you going to make that determination?” he said. “Companies are going to need some practice with this.”
Another concern? The use of 8-K reports to announce and expand on cyber events could lead to a cascade of filings that stockholders eventually tune out. 8-Ks are typically filed just a couple times per quarter around earnings updates or in the wake of high-profile changes such as a new CEO or big M&A deal, Brown said.
“It might just become noise. It might not actually give me information I can make investment decisions over,” he added.