The United States Securities and Exchange Commission (SEC) has approved new regulations that call for publicly-traded companies to report significant breaches of cybersecurity within a period of four business days.It has been stated that the strict new regulations, although having no doubt been created with the best of intentions, are likely to make some businesses feel as if they are being “micromanaged” and may even be of assistance to those who would commit an attack.
Listed companies will be obliged to provide specific information on “material” cyberattacks beginning in December 2023. This information must include “the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” What exactly is meant by the term “material impact”? According to the Securities and Exchange Commission (SEC), this includes “harm to a company’s reputation, customer or vendor relationships, or competitiveness” as well as the potential of litigation or regulatory action.
I don’t know much about you, but to me, it seems like a rather wide-ranging term.
What we do know is that in the early days of a cyber attack, it is frequently difficult for a targeted firm to ascertain the kind of data as well as the breadth of the data that may have been compromised by malevolent hackers. This is something that we are aware of. Theft of data is not comparable to the theft of a physical thing due to the very nature of the data itself. If someone were to break into museum and steal a painting , it would be quite evident what had been stolen since there would be a hole on the wall where the painting had been exhibited before it was removed.
However, it is possible for data to be stolen from an organization by copying it and transferring it to a different site; the data in its original form will still be accessible. In a nutshell, there is no space between the wall and the ceiling.It sometimes takes considerably longer than four days for businesses to be able to accurately say what data may have been obtained by cybercriminals and what data has not been accessed by them.
And if a company is unable to make that difficult judgment with precision, it runs the risk of disclosing wrong or incomplete information to the relevant authorities, as well as to impacted partners, workers, and consumers.There have been a lot of companies that have been hacked in the past, and a lot of those companies have tasted the agony of disclosing a data breach, only to then have to make a fresh statement stating that much more data was taken than previously assumed, which does more harm to their brand and business ties.
In addition, if a corporation makes it widely known that a data breach was far more severe than it really was, the company will often find it challenging to repair the harm caused by the first disclosure of the breach.In addition, a business that is hurrying to make a deadline may feel forced to reveal that it has been a victim of a previously unreported zero-day vulnerability before it has had the chance to properly report the issue to a vendor and before a fix has been made publicly accessible. This may happen even if the firm has had enough time to report the problem and before a patch has been made available. A public exposure of flaws may result in other cybercriminals seeking to exploit the same vulnerability in other attacks against other firms. This may be the case if the vulnerabilities are serious enough.
As a result, I can empathize with businesses who are concerned that authorities may pressure them to report a cyberattack before they have collected all of the relevant data and hence before they are fully prepared to do so.
On the other hand, it is crystal clear that some companies in the past have intentionally withheld information about a cyberattack, underplayed the true severity of the attack, or only released details of a breach at a time that is likely to do the least damage to their reputation (perhaps on a Friday afternoon, or just before the Thanksgiving holiday). These actions have all been taken in the past.
In the end, corporations are forced to take defensive measures, not just against cyberattacks but also against the loss of clients.
In the words of the head of the SEC, Gary Gensler, disclosing breaches in a “more consistent, comparable, and decision-useful way” does seem beneficial, and it should increase openness.
Although there is no question that this might offer some advantages to the general public, and it will be generally appreciated, it will also cause issues for businesses in the immediate aftermath of an attack, when they may feel that they should be putting their resources to better use putting out the fire that is in front of them.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.