SEC: Companies Have Four Days to Disclose Cyberattacks
The Securities and Exchange Commission (SEC) is trying to bring some order to a sprawling and sometimes unruly enterprise IT world besieged by cyberthreats and rapidly evolving technologies.
The SEC this week said publicly traded companies now have four days to disclose ransomware attacks or other cybersecurity incidents that affect their financial picture, the latest move by the government to bring more transparency as attacks on organizations continue to ramp.
The same day, the SEC proposed new rules requiring broker-dealers and investment advisers who use such emerging technologies as AI and data analytics to address possible conflicts of interest to prevent them from placing their interests ahead of their investors.
In both cases, the agency is trying to keep up with the accelerating pace of cyberattacks and technology innovations, both of which could impact investors and customers of these businesses.
The Clock is Ticking
The SEC last year first raised the issue of standardizing cyberattack disclosure rules, with the commission this week voting 3-2 in favor of them. It puts the onus on company executives to ensure that all affected parties are notified when the business comes under attack.
“Currently, many public companies provide cybersecurity disclosure to investors,” SEC Chair Gary Gensler said in a statement. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
The new rules will “benefit investors, companies, and the markets connecting them,” Gensler said.
When reporting an incident, organizations will be required to disclose not only the impact of the attack but also its nature, timing and scope. That said, there are some caveats. The four-day deadline only begins when a business determines that the attack has a “material” impact on its bottom line.
In addition, the disclosure can be delayed by as many as 60 days if the U.S. Attorney General’s Office determines that revealing the information poses a national security or public safety risk.
Along with the four-day disclosure requirement, the new rules also mean public companies will have to file paperwork with the agency annually outlining their strategies around risk management and governance, how they assess and identify material risks stemming from cyberattacks and steps they take to remediate them.
The Time to Prepare is Now
The new SEC rules mean businesses that are currently unprepared to meet the requirements will have to change the way they address cybersecurity and determine what a “material” incident looks like, according to Saket Modi, co-founder and CEO of Safe Security.
“The game needs to change to focus on protecting systems that pose the biggest material risk to business and making cybersecurity investments that will reduce the likelihood of material risk breaches,” Modi said. “This means businesses will have to translate bits and bytes of cybersecurity risk into dollars and cents of ‘material’ business risk.”
The new rules come at a time when the number and sophistication of cyberattacks are rising and the growth of remote work, which only increases the attack surface for businesses.
James McQuiggan, security awareness advocate at KnowBe4, said the four-day time frame may seem tight, but noted it’s looser than in other countries, such as the UK, Canada, and Australia (three days), China and Singapore (24 hours) and India (six hours).
“Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when,” McQuiggan said. “Organizations must stay current on local cybersecurity laws and regulations to ensure compliance and foster a prompt incident reporting and response culture.”
The rules – which take effect 30 days after they’re published in the Federal Register – come amid the unfolding security disaster that is the MOVEit hack, which was first reported in late May and continues to pull businesses into the morass. The Russian-linked Clop ransomware group is believed to be behind the attack, which involved exploiting a zero-day flaw in the MOVEit Transfer managed file transfer software that enable threat groups to steal data running through the service.
Recent reports have said the number of businesses falling victim to the MOVEit hack is between 450 and more than 500, with more than 35 million people having their personal information stolen.
Analytics, AI and Investing
At the same time, the SEC also put focus on the use of AI and data analytics in the investment field. In particular, the agency noted that broker-dealers and investment advisers are accelerating their use of these technologies to predict, guide and direct the investment decisions of their clients. The worry is that given the scalability and speed of the technologies, the potential for harm caused by conflicts of interest is heightened and broad.
“Today’s predictive data analytics models provide an increasing ability to make predictions about each of us as individuals,” Gensler said. “This raises possibilities that conflicts may arise to the extent that advisers or brokers are optimizing to place their interests ahead of their investors’ interests.”
Firms are obligated to eliminate or address conflicts of interest when offering clients advice and to keep the interests of those clients above their own, he said.
The proposed rules would require firms to determine whether their use of particular technologies in their interactions with investors would lead them to act in their own interest rather than the investor’s and eliminate the effect of any conflicts. They could use tools that address the risks and are specific to the technology they use.
The companies also would need written policies and procedures that comply with the proposed rules and to keep records that relate to the requirements.
There will be a 60-day comment period after the proposed rules are published in the Federal Register.
