SEC to Require Public Companies Disclose “Material” Cyberattacks in Four Days
Date:
July 27, 2023
The U.S. Securities and Exchange Commission will soon be requiring publicly traded companies to disclose cyberattack events within four business days if they are deemed “material” to current and prospective shareholders "in making an investment decision."
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said, as reported by Bleeping Computer.
"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
The new SEC rules will require impacted organizations to report:
- The date of discovery and status of the incident (ongoing or resolved)
- A concise description of the incident's nature and extent
- Any data that may have been compromised, altered, accessed, or used without authorization
- The impact of the incident on the company's operations
- Information about ongoing or completed remediation efforts by the company
It was noted that in some cases public reporting may be delayed if it is determined that a disclosure would pose a risk to national security or public safety.
Takeaway: More visibility and accountability in regard to security-related events at publicly traded companies is a good thing – that's a no-brainer. But we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.
The fact is that publicly traded companies are attacked every day, and if the company is really big, they may be attacked hundreds of times in a day. As we in the security trade already know, you can’t stop cyberattacks, but you can stop an attack from being successful and attaining its intended objective.
That said, the real challenge with this new SEC ruleset is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” to investors.
This leaves quite a bit of room for subjectivity, plausible deniability, and – if not structured correctly – could produce a culture where there is pressure on security teams to conceal security events from the executive suite, so the event goes unreported.
The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information about an incident – and this is the real rub here. There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.”
Forensic investigations are difficult, and they take time. The disclosure rule set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.
But investors, once informed of an attack, will want the details, and want them now. This could create situations where company leadership appears incompetent because they can’t answer tough questions about an event, undermining investor confidence.
As well, the company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts.
The inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that - while reportable per SEC rules – may in fact not be that serious of an event from a security standpoint.
For example, a denial of service (DoS) attack that takes a company’s web retail operation offline for a period could cost the company millions of dollars. This is definitely material and thus required to be reported.
But a DoS attack is not necessarily an existential event for a company compared to, let's say, a corporate espionage attack where no systems went down, no revenue was lost, but systems with sensitive data like intellectual property were accessed.
Material? Probably so. But such an attack could also be written off as a simple intrusion event and nothing else. The attackers got into the systems, the intrusion was detected, the security team evicted the attackers from the network, and it appears no damage was done.
That is, until two years later when a foreign-based startup emerges with basically the exact same product selling at a steeply discounted price because the new competitor has no R&D costs to recover.
This scenario would possibly be an existential event for the victim organization, but how could they possibly forecast this serious situation within four days of detecting the intrusion event?
Without a great deal of education for the investor community, in situations like this we might see shareholders fleeing every time a company gets hit with a relatively minor DoS attack, crashing a company’s stock price, yet feel secure that their long-term investments in a company that is actually at significant risk of becoming obsolete.
While this is an overly simplified example, it drives home the point: any requirements on victim organizations to report material security events to investors needs to come with a concerted effort to educate investors on the nuances of attacks, security operations, and risk, or the SEC will just be creating more problems than they are actually solving.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.
