Public companies in the US will be forced to disclose cybersecurity incidents within four days under new rules proposed by financial regulator the Securities and Exchange Commission. Businesses will also be obliged to include details of their cybersecurity set-up in their annual reports, as well as detailing the boardroom expertise they have when it comes to security.
Experts have told Tech Monitor this may nudge UK regulators into being more prescriptive in how they apply rules such as the EU’s NIS2 directive, which is currently open to different interpretations of what level of security is required.
Why the SEC is changing cyberattack disclosure rules
The SEC rules mandate listed businesses to disclose an incident within four days unless it can prove the public disclosure of such details may pose a public danger, in which case it will have 60 days to comply.
From December, they will also be required to outline their risk management, cybersecurity governance and strategies to boost cybersecurity posture in their annual reports.
The most controversial element of the new rules may be the stipulation that businesses must share what oversight of cyber risk board members have. Item 106 of the new regulations says companies must describe their directors and management’s “role and expertise in assessing and managing material risks from cybersecurity threats”.
By putting the rules in place, the SEC believes it is giving more security to investors. “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors.”
Gensler added that he believes “companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
What do businesses make of the new SEC regulations?
While the cybersecurity community has welcomed tighter regulation in the face of major third-party cyberattacks such as the Log4j breach and the recent MOVEit Transfer vulnerability attacks, which have impacted some of the biggest listed companies, concerns have been raised about the burden the rules will place on corporations.
The New York Stock Exchange argues the information being demanded by the regulator is too detailed and will result in “granular disclosures of organisational minutiae required”, resulting in “overly detailed filings that have little utility to investors”.
The NYSE says demanding information on the cybersecurity expertise of upper management could give investors the wrong impression of a company’s cybersecurity abilities. “The absence of a cybersecurity expert on a company’s board is [not] necessarily the fatal flaw that required disclosure may implicitly suggest to investors,” it says.
Security professionals surveyed by vendor Proofpoint say their organisations are ready to work more closely with regulators. According to the company’s 2023 voice of the CISO report, 80% of respondents agree that organisations should be required to report a material cyberattack to regulators within a reasonable time frame, while only 6% disagree. “This suggests that boards are now much more willing to work together with regulators”, explains Proofpoint’s resident CISO, Andrew Rose.
A separate survey of board members conducted by Proofpoint found that directors are most concerned with internal data becoming public, reputational damage, loss in revenue, and disruption to operations, all of which could be minimised through increased regulation.
Will the UK strengthen cybersecurity regulations?
For these reasons, the new rules could not have come at a better time, says Edgard Capdevielle, CEO of security company Nozomi Networks. “Cyberattacks are outnumbering and outmanoeuvring even prepared defences,” he says. “It’s time for greater accountability, [and] the introduction of these SEC cybersecurity rules implies a significant and necessary increase in board accountability.”
The new regulations will bring structure and consistency in the US and will likely influence regulators globally, adds Proofpoint’s Rose. “This can only be good news,” he says. “However, it’s unlikely to have much of an impact across large EU or UK-based organisations which are already complying with conditions from the GDPR and NIS2 regulations.”
The new SEC rules could have an influence on how other suites of regulations are implemented, however, suggests Andy Norton, European cyber risk officer at Armis. “With NIS2, requirements are in place to disclose incidents within a time frame and additionally to demonstrate good cyber risk management controls,” he explains. “In the UK, regulators are looking to be more prescriptive with the controls organisations need to implement, as currently there is a wide interpretation of what constitutes appropriate and proportionate cyber capabilities.”
This discrepancy can lead to companies with low levels of security slipping through the cracks, “while claiming the same level of assurance”, he says. “The UK could be pushed to be more prescriptive to enforce a higher systemic level of security, regardless of the individual law.”
But regulation will not be enough to protect companies against all risk, adds Capdevielle. “Cybersecurity is an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape,” he says. “Board accountability, however, will strengthen this vigilance.”