New SEC rules around data breach disclosures arrive on Monday – here's what you need to know

Securities and Exchange Commission building in Washington, DC
(Image credit: Getty Images)

New SEC data breach disclosure rules will come into effect on Monday nearly five months after their original announcement in July, and experts have warned that they could place unnecessary strain on security practitioners.

The rules require companies to publicly disclose a cyber security incident within four days of its discovery.

New ‘Form 8-K’ requirements will compel firms to provide the regulator with detailed insights into a security incident, including its timing, scope, nature, and impact.

The SEC said the introduction of these rules will hold public companies to a higher standard of reporting, improve transparency, and ultimately protect consumers and businesses.

SEC data breach disclosure rules have drawn criticism

Reactions to the new rules have been mixed to say the least. Industry body ISC(2) even went as far as to describe the terms as “worryingly vague” in the wake of the July announcement.

What’s clear is that the issue with the rules lies within its wording, which asks companies to report an incident once it is “material” in nature. As the SEC’s definition of “material” lacks specificity, critics have warned that businesses may be forced to approach the rules interpretatively.

This means that security experts will have to define incidents with few clear guidelines. When the rules take effect on Monday, cyber security professionals can expect to deal with one of either two scenarios as a result of the SEC’s vague wording.

They will either face an issue of over-reporting incidents, wasting time and focus, or they will face a lack of reporting all together, leaving businesses vulnerable to security threats. 

The pressure will certainly be ramping up for those in security roles, according to Scott Kannry, CEO and co-founder of Axio.


A webinar from Cloudflare on the latest DDoS attack trends

(Image credit: Cloudflare)

Get unique insights into the latest DDOS attack trends


Kannry warned there are mounting concerns among security leaders that their professional actions “won’t be protected” if called into question in the wake of a damaging security incident.

He added that the introduction of these rules follows a series of moves by the SEC that are prompting great concern among security experts across the US and further afield.

“The combination of new SEC rules, the SEC’s actions against SolarWinds, and the Clorox CISO’s departure following a cyber attack are prompting much soul searching in the cyber security profession,” he said.

“Thousands of security leaders now worry that their professional actions won’t be protected if called into question as they join CEOs, CFOs, General Counsels, and Boards of Directors in being held liable, personally or criminally, for a failure to meet their responsibilities.”

Heightened security risks caused by an increased level of transparency is another potential impact of the new SEC guidelines. Under the rules, companies will be forced to disclose sensitive information about security breaches and thus potentially expose themselves to further risk.

George Gerchow, faculty at IANS Research and CSO & SVP of IT at Sumo Logic, said it’s “extremely difficult to publicly report an active incident while working on it” as practitioners will not only be distracted, but also “vulnerable to other attacks.”

There is scope for exemption, however. Disclosure can be deferred past the four-day rule if the Department of Justice deem the incident to be a national security or public safety risk.

If granted, a company would get a 30-day public filing delay, with the potential to extend that by another 30 days if necessary. The FBI said this will help minimize risks during ongoing security incidents.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.