This post was originally published in Human Infrastructure, a free weekly newsletter of blogs, news, and links curated by the Packet Pushers. Sign up for free here.
This July the Securities and Exchange Commission (SEC) announced new rules requiring public companies to disclose cybersecurity incidents. The goal is to give investors and shareholders timely information about security incidents and breaches. By making disclosures mandatory, the SEC hopes that the information presented to investors will be “consistent, comparable, and decision-useful” according to the SEC’s press release.
The SEC cites the need for the rule based on the increasing number of attacks and breaches, the dependence of economic activity on electronic systems, the rise of adverse costs of security incidents, and evidence suggesting that companies are under-reporting incidents.
Disclosures must be made via Form 8-K, a standard document that public companies use to alert shareholders of major events. That disclosure must come within four business days after the company has determined if the incident should be reported.
What are companies supposed to report? The SEC wants to see the following:
• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations;
• Whether the registrant has remediated or is currently remediating the incident.
In addition, public companies are also required to report annually on their processes for assessing and managing cybersecurity risks. This report will be included in Form 10-K.
Material World
Regarding the disclosure of an incident, the new rule says companies must report any security incident that the company deems “material.”
Allowing a company itself to determine whether an incident is “material” seems to me a loophole big enough to drive a truck through. However, the SEC does provide more guidance via a PDF. An incident is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”
That still feels a little squishy to me, but the SEC follows up with this line: “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors.
Potential Impacts
I see some potential, both good and bad, for these new rules:
Possible Upsides
–More transparency is better for investors and the public. Many publicly traded companies harvest and store sensitive personal data on millions of people. The public needs to know how well, or poorly, corporations are stewarding our data.
–IT vendors face few repercussions for shipping buggy, half-baked code. Perhaps now their customers will have more incentive to shift some of this public scrutiny to their IT “partners” and demand higher-quality software.
Possible Downsides
–Rather than improving security controls and incident response, public companies may decide it’s more cost-effective to hire a few more lawyers to play dice with the SEC rules.
–Repeated and widespread disclosures may have a numbing effect. Instead of spurring public companies to be more vigilant, they’ll just shrug and say “Nobody’s good at this, so let’s just take the hit, write it off, and move on.”
What’s Next?
The rule around disclosure of an incident takes effect “beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023,” according to the SEC press release.
I’m curious to see which company is the first to reach this inauspicious milestone.
