Public companies will be held to far stricter reporting standards around cyber security incidents after the Securities and Exchange Commission passed rules which require disclosure of events within four days.
The new ‘Form 8-K’ requirements compel companies to report any cyber security incident they consider material within four business days of being discovered and give detailed insight into its timing, scope, nature, and impact.
All businesses will also be required to annually file information on their cyber security risks, strategy, governance, and any potential or prior incidents under a new item in Regulation S-K, the piece of regulation that lays out SEC filing requirements.
Foreign private issuers, meaning foreign companies with fewer than 50% of their voting securities in the hands of non-US residents, will be held to the same disclosure standards.
“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” said SEC Chair Gary Gensler.
“Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies, and the markets connecting them.”
Required information in the annual 10-K reports includes the measures being taken by organizations to identify and prevent cyber security threats, the board of directors’ oversight, and management’s handling of cyber security risks.
The changes are due to take effect within 30 days of the release’s publication in the federal register, while the four-day reporting window will take effect 90 days after this publication or 18 December 2023, whichever is later.
Don’t just educate: Create cyber-safe behaviour
Get a game plan that will help build a cyber-resilient culture. Change employee behaviour and improve your security culture.
DOWNLOAD FOR FREE
Annual reports will be required from fiscal years ending on or after 15 December 2023.
The US Attorney General can delay the deadline of four business days for reports by up to 30 days in situations where the disclosure of the information has been deemed to pose a “substantial risk” to either public safety or national security.
A longer, 60-day delay is also allowed for in the final rule [PDF] in “extraordinary circumstances but requires notification in writing from the Attorney General. Beyond this point, the SEC reserves the right to grant additional delays on a case-by-case basis.
Commissioner Hester M. Peirce dissented against the final rule, and described it as a “test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics”.
Commissioner Peirce also suggested that threat actors could use the 8-K requirements to gain insight into businesses’ cyber security measures, as well as to identify lucrative targets for ransomware by probing reports for firms that indicate they stand to lose a lot in attacks.
Bitdefender surveyed 400 IT professionals earlier this year and found that nearly half had been told to keep data breaches a secret, with US staff most likely to have obeyed.
71% of IT employees in the US reported that they failed to notify senior management or customers about breaches they suffered.
The report also found that staff in the UK, France, Germany, Spain, and Italy were least likely to keep a data breach secret. The finding is relatively unsurprising given that all five are bound by strict GDPR rules, or in the case of the UK GDPR-influenced rules.
The US has been behind countries in Europe on the matter of timely data breach notification for years. The GDPR introduced the mandatory 72-hour window for organizations to inform their nation’s data protection authority in 2018, and the UK has retained this even after leaving the EU.
Like the US’ new rules, exceptions can be granted in exceptional circumstances but failure to adequately report a breach can land organizations with sizeable fines of €10 million or 2% of a company’s annual revenue.
Fines are often a last-resort tactic used by regulators who generally agree that their primary role is to raise the quality of data protection and response to incidents rather than freely punishing offences.
The 72-hour window was introduced to improve the rights afforded to residents of countries bound by the GDPR’s rules, as well as raise corporate standards of data protection generally.
Until now, most organizations in the US have not been bound by such rules, bar some exceptions.
The Cyber Incident Reporting Act of 2022 requires organizations responsible for critical national infrastructure (CNI) to report cyber attacks to Cybersecurity and Infrastructure Security Agency within 72 hours from the time they believe the incident took place.
Notice of ransomware payments must similarly be made within 24 hours, and CISA holds the right to subpoena organizations that do not submit timely reports.
Private companies have less clear reporting guidelines, and as deadlines vary state by state there is often uneven insight into the threat landscape at a federal level.
Colorado requires firms to notify Colorado residents within 30 days of an incident occurring, and the state’s Attorney General if more than 500 residents are notified.
In contrast, Alabama only requires individuals involved in breaches to be notified if it’s found that it likely caused them significant harm.
Information security experts have called for a standardized information-sharing framework, to ensure companies not only provide timely reports but also give more detailed insight into attacks than the bare minimum.
The absence of mandatory reporting windows in the US has led to some cases where organizations that have suffered major breaches have been legally allowed to delay disclosure indefinitely, despite many of their clients and stakeholders being affected.
In 2021, GoDaddy took two months to disclose its data breach which exposed the names and email addresses of up to 1.2 million of its users, past and present.
Uber’s CSO infamously covered up a 2016 hack on the company, which exploited the same vulnerability as a separate 2014 attack. The incident saw the theft of the names and email addresses of 50 million users and 7 million drivers.
Allegations at the time of the cover-up’s discovery in 2017 also focused on an alleged $100,000 payment made by then-CSO Joseph Sullivan to the hackers in return for their silence.
Found guilty earlier this year, Sullivan is now serving a three-year term of probation and has been ordered to pay a $50,000 fine.
