Effective today, December 18th, publicly-owned companies conducting business within the United States are required to comply with the SEC’s new data breach disclosure rules. These rules mandate that all “material” cyber incidents must be disclosed within a 96-hour time frame. This controversial regulation has caused significant upheaval for organizations, many of which argue that the rules increase their risk and provide inadequate time to properly assess the breach, its impact, and coordinate necessary notifications.
The consequences for non-compliance are significant, with potential harsh penalties administered by the U.S. Securities and Exchange Commission. Even companies with decades of public ownership are not exempt, further emphasizing the importance of understanding and adhering to these new rules. But what exactly do businesses need to know about these regulations?
According to the SEC, the new cybersecurity disclosure requirements aim to increase transparency and consistency in reporting by requiring organizations to report cybersecurity incidents, such as data breaches, in a specific line item on a Form 8-K report within four business days. This standardized approach is meant to benefit both investors and companies by providing a more “consistent, comparable and decision-useful way” of reporting incidents.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler stated when the rules were first approved in July.
In an 8-K filing, breached organizations must detail the nature, scope, timing, and material impact of the incident, including any financial or operational consequences. However, the rule does not require companies to disclose any information related to ongoing remediation efforts, as this could hinder the recovery process.
According to Jane Norberg, a partner at Washington D.C.-based law firm Arnold & Porter, this means that companies must have proper controls and procedures in place to determine materiality once a cybersecurity incident is detected. She also notes that companies should involve their incident response teams when making materiality determinations.
Norberg further explains that the new regulations also cover incidents related to third-party systems, meaning companies must also assess and report on breaches occurring on these systems.
“This means that a company will need to gather and assess information and make materiality determinations based on breaches of third-party systems,” Norberg says.
In order to provide smaller companies with more time to comply, the SEC has also granted a 180-day extension to those with a public float of less than $250 million or less than $100 million in annual revenues before filing their Form 8-K. Additionally, there is an exception to the four-day reporting deadline for larger organizations, with a clause allowing for delayed disclosure if it would pose a substantial risk to national security or public safety. The decision to delay must be approved by the U.S. attorney general and reported to the FBI.
In addition to these new data breach disclosure rules, the SEC has also added a new line item, Item 106, to Regulation S-K, which will be included on a company’s annual Form 10-K filing. This requires businesses to describe their process for assessing, identifying, and managing material risks from cybersecurity threats, as well as disclose their management’s ability to assess and manage these risks.
But what happens if businesses fail to comply with these new rules?
“The SEC has the authority to enforce compliance and may act against organizations that fail to adhere to the regulations. Some potential consequences include financial penalties, legal liabilities, reputational damage, loss of investor confidence, and regulatory scrutiny,” explains Safi Raza, Senior Director of Cybersecurity at Fusion Risk Management.
As shown by recent actions taken against SolarWinds and its CISO, the SEC’s consequences can have wide-ranging impacts. The SEC is seeking monetary penalties and even looking into permanently barring the CISO from serving as an officer or director of a public company based on allegations of misstatements and failure to maintain proper disclosure and accounting controls in relation to the SolarWinds cyberattack.
Former Uber CSO, Joe Sullivan, who faced charges related to a 2014 data breach, welcomes the new rules, stating in a recent interview with TechCrunch, “We can nitpick the details as much as we want, but this is the right way to do it. I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.”
However, not everyone is on board with these new regulations. Many companies have expressed concerns about the short four-day deadline for determining materiality and reporting incidents to the SEC, especially since it typically takes months to report a breach after completing an investigation. Others have raised concerns about the SEC’s definition of “material incidents” and the potential risk of disclosing such information, which could provide valuable insight to hackers.
In fact, hackers have already taken advantage of the new regulations, using them to their advantage in attacks. The notorious Alphv/BlackCat ransomware group filed an SEC complaint against one of its victims, MeridianLink, for failing to report a breach within the four-day time frame. This tactic, which is being adopted by attackers to extort more money from victims, could become a significant issue in the future.
As the cybersecurity landscape continues to evolve, it is crucial for businesses to stay informed and on top of changing laws and regulations. Proper controls, processes, and procedures must be in place to reduce the risk of cyber incidents. With the SEC’s unwavering commitment to protecting investors, non-compliance with these new data breach disclosure rules could have severe consequences for organizations of all sizes.