The Securities and Exchange Commission (SEC) has taken a significant step towards strengthening cybersecurity regulations for public companies. In a 3-2 vote along party lines, the SEC approved rules that require companies to disclose any cybersecurity breaches within four days if they could impact their financial performance. However, there is flexibility for delays if immediate disclosure would pose national security or public safety risks.
The new rules also oblige publicly traded companies to provide annual disclosures about their management of cybersecurity risks and the expertise of their executives in this field. The intention is to safeguard the interests of investors and increase transparency.
Delays in breach disclosures can be permitted if the U.S. Attorney General determines that they would present a substantial risk to national security or public safety. However, such delays cannot exceed 60 days, except under extraordinary circumstances.
SEC Chair Gary Gensler emphasized the importance of consistent disclosures, stating that whether it is a fire damaging a factory or a cybersecurity incident compromising millions of files, both events could be material to investors. The aim of these rules is to address the current inconsistency in breach disclosures and enforce more transparency regarding the growing risk of cyber attacks.
While these regulations will promote transparency and potentially drive improvements in cyber defenses, they may also pose challenges for smaller companies with limited resources, according to Lesley Ritter, senior VP at Moody’s Investors Service.
It’s worth noting that the four-day reporting window does not start until a company determines that a breach is material. One of the dissenting Republican commissioners, Hester Peirce, raised concerns that the new requirements exceed the SEC’s authority and may inadvertently benefit hackers by providing them with detailed information on companies’ cyberrisk management.
Tenable CEO Amit Yoran, a prominent figure in cybersecurity, welcomed the new rule, emphasizing that cybersecurity should be a priority for all organizations. Yoran believes that this regulation sends a clear message to corporate leaders that cybersecurity is not just a “nice-to-have” but a necessity.
The SEC proposed these rules in March 2022, recognizing the escalating risk of corporate network breaches as digitization and remote work became more prevalent. The increasing cost to investors from cyber incidents further underscored the need for improved regulations.
Currently, certain critical infrastructure operators and all healthcare providers are legally required to report breaches. However, there is no federal breach disclosure law in place.
A recent report by IBM revealed that organizations now spend an average of $4.5 million to address breaches, representing a 15% increase over the past three years. The costs are often passed on to consumers, who may also be victims of personal information theft resulting from breaches, according to the Ponemon Institute.
The adoption of these rules comes amidst delayed and cryptic disclosures surrounding a significant data breach caused by Russian cybercriminals through a supply chain hack of the widely used file transfer program, MOVEit. This breach has affected numerous organizations, including universities, major pension funds, U.S. government agencies, and well-known companies such as the BBC, British Airways, Ernst & Young, and PricewaterhouseCoopers.
Many victims of the MOVEit breach emphasized that they were let down by a third-party application. The new SEC rule specifically covers third-party apps, acknowledging the increasing reliance on external cloud services for data management and storage.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
