New SEC data breach disclosure rules will come into effect on Monday nearly five months after their original announcement in July, and experts have warned that they could place unnecessary strain on security practitioners.
The rules require companies to publicly disclose a cyber security incident within four days of its discovery.
New ‘Form 8-K’ requirements will compel firms to provide the regulator with detailed insights into a security incident, including its timing, scope, nature, and impact.
The SEC said the introduction of these rules will hold public companies to a higher standard of reporting, improve transparency, and ultimately protect consumers and businesses.
SEC data breach disclosure rules have drawn criticism
Reactions to the new rules have been mixed to say the least. Industry body ISC(2) even went as far as to describe the terms as “worryingly vague” in the wake of the July announcement.
What’s clear is that the issue with the rules lies within its wording, which asks companies to report an incident once it is “material” in nature. As the SEC’s definition of “material” lacks specificity, critics have warned that businesses may be forced to approach the rules interpretatively.
This means that security experts will have to define incidents with few clear guidelines. When the rules take effect on Monday, cyber security professionals can expect to deal with one of either two scenarios as a result of the SEC’s vague wording.
They will either face an issue of over-reporting incidents, wasting time and focus, or they will face a lack of reporting all together, leaving businesses vulnerable to security threats.
The pressure will certainly be ramping up for those in security roles, according to Scott Kannry, CEO and co-founder of Axio.
Kannry warned there are mounting concerns among security leaders that their professional actions “won’t be protected” if called into question in the wake of a damaging security incident.
He added that the introduction of these rules follows a series of moves by the SEC that are prompting great concern among security experts across the US and further afield.
“The combination of new SEC rules, the SEC’s actions against SolarWinds, and the Clorox CISO’s departure following a cyber attack are prompting much soul searching in the cyber security profession,” he said.
“Thousands of security leaders now worry that their professional actions won’t be protected if called into question as they join CEOs, CFOs, General Counsels, and Boards of Directors in being held liable, personally or criminally, for a failure to meet their responsibilities.”
Heightened security risks caused by an increased level of transparency is another potential impact of the new SEC guidelines. Under the rules, companies will be forced to disclose sensitive information about security breaches and thus potentially expose themselves to further risk.
George Gerchow, faculty at IANS Research and CSO & SVP of IT at Sumo Logic, said it’s “extremely difficult to publicly report an active incident while working on it” as practitioners will not only be distracted, but also “vulnerable to other attacks.”
There is scope for exemption, however. Disclosure can be deferred past the four-day rule if the Department of Justice deem the incident to be a national security or public safety risk.
If granted, a company would get a 30-day public filing delay, with the potential to extend that by another 30 days if necessary. The FBI said this will help minimize risks during ongoing security incidents.
