Crooks pwned your servers? You’ve got four days to tell us, SEC tells public companies

Public companies that suffer a computer crime likely to cause a “material” hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.

The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business. 

Companies must make this determination “without reasonable delay,” according to the new rules. If they decide a security breach is material, then they have four days to submit an Item 1.05 Form 8-K report detailing the material impact of the incident’s “nature, scope, and timing,” plus any impact or likely impact on the business. Those 8-K forms are made public by the SEC.

What is material?

“The key word here is ‘material,’ and being able to determine what that actually means,” Safe Security CEO Saket Modi told The Register

Modi’s company helps major corporations quantify and manage their cyber risk. He said most organizations don’t have systems in place to determine materiality, and, as such, will have a tough time complying with this new rule.

“The game needs to change to focus on protecting systems that pose the biggest material risk to business and making cyber investments that will reduce the likelihood of material risk breaches,” Modi said. “This means businesses will have to translate bits and bytes of cyber risk into dollars and cents of material business risk.”

There is, however, an exception to the four-day timeline: a company can delay filing this report with the SEC if the US Attorney General determines that openly disclosing the intrusion immediately would pose a major risk to national security or public safety.

The rules also add a new reporting requirement, Regulation S-K Item 106, which will require public companies to describe their processes — if they have any —  for assessing, identifying, and managing material risks from cybersecurity threats. 

Item 106 also requires firms to detail their board of directors’ oversight of cyber threats, and management’s role in assessing and managing material risks from these threats. Companies will be required to publicly disclose this information in their annual report to the SEC on Form 10-K.

And finally, the rules require foreign companies that do business in the US to disclose any material cybersecurity incidents that they experience on Form 6-K, as well as their cyber risk management strategy and governance on Form 20-F.

Changing the board’s role in cyber risk management

The Google Cybersecurity Action Team has published a couple of recent reports, one in April [PDF] and one in July [PDF] intended to help boards of directors take a more proactive role in corporate cybersecurity. 

While boards have traditionally approached infosec “as a siloed priority,” Item 106 should encourage board members to “view cyber risk through the lens of overall business risk,” said David Homovich, solutions consultant for Google Cloud Office of the CISO.

“Ideally, boards will integrate cybersecurity and resiliency into their overall business strategy, risk management practices, budgeting, and resource allocation to underpin that cyber risk is everyone’s responsibility,” Homovich told The Register. “Boards’ cybersecurity awareness and subsequent guidance in this area is absolutely critical to every organization’s long term success.”

To do this, he suggests boards do three things. First: get educated about key topics. This will help “ensure that cyber and broader technology risk is embedded in operational risk and strategic discussions and organizational decisions,” he said.

Second: engage with the CISO and other C-Suite leaders to better understand security gaps and resource needs, and make sure this risk “is treated as a priority for all executives – not just the cybersecurity team.”

Third: “Stay informed about ongoing reporting activities, ask questions, and work with the CISO and other leaders to understand cyber risk metrics,” Homovich said.

Not every one likes the new regulations

Of course, not everyone is happy with the new cyber-reporting rules. The SEC’s 3-2 vote approving the changes went down along party lines, with the regulator’s two Republican commissioners opposing the requirements.

The Bank Policy Institute (BPI) is also not a fan, and said the disclosures will end up “harming the very investors it purports to protect by prematurely publicizing a company’s vulnerabilities,” according to Heather Hogsett, senior veep of technology and risk strategy for BPI’s technology policy division. 

No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state

“No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and creates a recipe for disaster the next time a major cyber incident occurs,” Hogsett told The Register.

Again, we’ll point out that security events determined to pose a national security or public safety risk aren’t held to the four-day reporting deadline.

Major security breaches reported by public companies increased by nearly 600 percent in the past decade, according to Commissioner Caroline Crenshaw, citing earlier SEC figures. “The costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the US alone,” she added in a statement about the new rules.

“The rule will, among other things, provide investors and market participants across the board with critical information relating to a company’s risk management and strategy, as well as governance, in its periodic reporting,” Crenshaw, a Democrat, said.

But will they make orgs safer?

Ultimately, the rules should also make American companies and individuals safer, said Tenable CEO and chairman Amit Yoran, who called them “right on the money.” This is understandable, since his business makes its dosh in computer security.

“In many ways, the SEC’s rule will regulate what companies should have been implementing in the first place — good cyber hygiene,” he told The Register. “For a long time, the largest and most powerful US companies have treated cybersecurity as a nice-to-have, not a must have. Now, it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations.”

Plus, he added, investors have a right to know about organizations’ cyber risk management, because breaches have real-life consequences and costs. 

“This is a dramatic step toward greater transparency and accountability and will greatly improve our cybersecurity preparedness as a nation,” Yoran said. ®

READ MORE HERE