Jul 26 – Under controversial new rules that the U.S. Securities and Exchange Commission is expected to adopt, companies hit by cyber attacks will have four days to publicly disclose any significant impact.
At a meeting today, the agency’s commissioners will vote on the details of the reporting rules, which were proposed last year. Trade organizations and enterprises have protested, as the rules would require new workflows, processes and procedures.
These SEC’s rules are the latest in an effort to improve transparency around cyber threats and to address gaps in existing disclosure requirements.
At present, publicly traded U.S. companies rely on SEC guidelines when it comes to publicizing cyber incidents that may be of concern to investors. Up until this point, some cyber serious incidents haven’t been reported in a timely manner. And yet others haven’t been reported at all.
Firms that have provided incident reports offered differing levels of detail regarding the incident’s impact and the corporate response. This makes aggregating and analyzing information, for the purpose of preventing further incidents, a challenge.
Under the new rules, companies will be able to delay disclosure of an incident if it would pose a significant threat to national security or public safety, as determined by the U.S. attorney general.
The four-day countdown will commence once a company has identified an attack as of possible concern for investors.
Groups such as the Information Technology Industry Council have criticized the four-day deadline as too short, noting that companies would likely have little valuable information about the incident at that point.
The SEC has proposed an additional cyber reporting rule pertaining to investment advisers and funds. Another rule has been proposed for stock exchanges and other U.S. securities market-related groups.
Companies that fail to provide information about cyber events are due to face probes and fines from the SEC. SolarWinds Corp., for example, has been cited as liable to see enforcement action over lack of transparency around the incident.
For the latest on the U.S. SEC’s cyber reporting rules, please visit Bloomberg. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.