Companies Aren’t Waiting for SEC Rules to Kick In

In just over a month, the Securities and Exchange Commission’s (SEC) new cybersecurity disclosure rules go into effect. Many publicly traded companies, however, aren’t waiting until December 18 to comply but have already begun to report cyberattacks.

Why? According to a recent report on Axios, the early disclosures are giving other businesses a preview of what to expect from regulators, shareholders, and consumers when they report their own material cyber incidents. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement.

New Rules Speed Up Reporting of Cyber Incidents

The new rules enacted by the SEC in July require public companies to disclose cyber incidents that have a material impact within four business days via a publicly available 8-K filing. Companies must also disclose more details about their internal cybersecurity programs in annual reports. The rules aim to provide investors comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents.

Potential Problem With the Reporting Timeframe

Security and legal experts caution that determining what types of breaches are material and require reporting may pose a challenge for some firms, according to an earlier report on Cyberscoop. Furthermore, rushing to alert investors about breaches before they are remedied could put companies at risk. For example, hackers in the middle of an attack could pick up on the alert and do more damage, such as burning down any infrastructure they can access.

Delaying disclosures beyond the allotted four days involves several steps. First, the U.S. Attorney General (AG) determines that immediate disclosure would pose a substantial risk to national security or public safety. Next, the AG notifies the Commission of such determination in writing. Finally, if the AG indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.

The practicality of this process remains to be seen once the reporting of cyber incidents officially gets underway next month.

All Companies Should Ramp Up Their Cybersecurity Programs

Before the SEC reporting rules kick in, experts recommend companies shore up their internal cybersecurity programs. The same could be said for organizations of all types. “While reporting is becoming mandatory for publicly traded companies, protection is imperative for all companies,” PrivaPlan’s Ron Bebus, CIO, CISSO, said.

He’s also in agreement with National Cybersecurity Alliance Executive Director Lisa Plaggemier regarding what she told Axios about actionable steps for organizations:

• Run tabletop exercises.
• Establish a crisis communication plan.
• Provide cyber training to board members.

“Tabletop exercises help everyone understand their role and possible impact regarding threats of all types,” Bebus explained. “Tabletops should be run with each department so that disaster responses are practiced, but more importantly, a good tabletop program teaches all employees the right mitigation steps to help prevent disasters.”

Additionally, training all members of an organization is no longer just an option; it’s necessary. “Disaster planning is not an IT-only function,” Bebus said. “The entire organization must be involved.”

To learn more, contact the privacy and security experts at PrivaPlan at info@privaplan.com or 877-218-7707.