The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18.
The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose any material breach within four business days of discovering that the incident has material impact.
Companies will have to submit annual reports with information on their cybersecurity risk management, strategy, and governance.
When the government agency announced the new rules, some industry professionals and government representatives raised concerns that forcing companies to disclose information in this manner could actually help threat actors, as the information provided by the victim to the SEC could be very useful.
This includes telling the attacker when the breach was discovered, what is known about it, and the potential financial impact, which could be useful for setting a ransom demand in the case of ransomware attacks.
In a blog post published last week, Erik Gerding, director of the SEC's Division of Corporation Finance, shared some clarifications on what information must be disclosed by companies and when it must be disclosed.
Gerding clarified that the final version of the rules is more focused on the material impacts of an incident and requires less information compared to the initial version.
Companies are specifically told that they do not need to disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.
He also provided additional clarifications on the 'four business day' requirement, noting that it's in line with other events that companies are required to report to the SEC, such as bankruptcy.
Public firms that suffer a data breach will be required to inform the SEC within four business days of determining that the incident is material, but their initial notification does not need to contain complete information about the incident.
A subsequent filing can be used to disclose information obtained after the four-day deadline.
Gerding highlighted that the final version of the rule also includes some changes regarding the annual disclosures in an effort to avoid misinterpretations that could put unnecessary pressure on companies.
A requirement to disclose whether any board members have cybersecurity expertise has been removed as it may have been interpreted as a requirement to retain an expert on the board.
Such an expert could come at the expense of other, more important cybersecurity investments.
Some companies will be allowed to delay their disclosure to the SEC if there is substantial risk to public safety or national security.
Organizations that have suffered a breach can request an exemption if they believe the disclosure will harm public safety or national security.
The Justice Department can grant delays ranging between 30 and 120 business days - a delay exceeding 120 days can only be granted by the SEC. The FBI, which is accepting delay requests on behalf of the Justice Department, recently provided some clarifications on this process.
Summer Fowler, faculty at IANS Research and CISO at Torc Robotics, has shared some recommendations on how companies can prepare for complying with the SEC cyber incident disclosure rules.
Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, has shared some advice for organizations using operational technology systems.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 18 Dec 2023 12:13:04 +0000