In a significant development aimed at improving transparency and protecting investors, the U.S. Securities and Exchange Commission (SEC) has endorsed new rules. As per these rules, publicly traded companies are required to disclose any “material” cyber attack affecting their financial position within four days of detection.

What constitutes a ‘material’ cyber attack?

Gary Gensler, the SEC Chair, equated the impact of a major cyber attack to a physical loss, such as a factory fire. According to him, such an incident “may be material to investors.” The consistency, comparability, and usefulness of the disclosure of cybersecurity incidents to investors are set to improve with these rules.

The rules oblige companies to reveal the nature, scope, and timing of the cyber attack and its impact. However, there could be an additional delay of up to 60 days in disclosing specific details if it poses a significant risk to national security or public safety.

The annual reporting requirement

Additionally, companies must provide an annual description of their methods and strategies for assessing, identifying, and managing substantial cybersecurity threats. They should also detail the effects or risks arising from such events and share information about ongoing or completed remediation efforts.

CEO of Safe Security, Saket Modi, highlighted the keyword ‘material’ and the challenge many organizations might face in determining its meaning, as they may not have the systems to quantify risk.

SEC rules – bridging the cybersecurity gaps

These rules, proposed first in March 2022, aim to increase transparency concerning the threats U.S. companies face from cybercrime and nation-state actors. This policy is a major step towards strengthening cybersecurity defense and disclosure practices and fortifying systems against data theft and intrusions.

Concerns raised about the tight timeframe

Despite the positive feedback on the new rules, some concerns have been raised about the tight four-day reporting window. It’s feared this could lead to potentially inaccurate disclosures as companies might require weeks or even months to thoroughly investigate a breach. Early breach notifications could inadvertently alert other attackers to a vulnerable target, thus escalating security risks.

Regardless, this development marks a significant step towards greater cybersecurity transparency and accountability. What are your views on the new SEC rules? We invite you to share your thoughts in the comment section below.