SEC Delays Final Rule on Cyber Incident Disclosure Amid Industry Pushback

Source: CFO Drive | Published on June 20, 2023

Cyberattacks infrastructure

The Securities and Exchange Commission has delayed a final rule requiring publicly traded corporations to report major cyber breaches and assaults in regulatory filings until October.

The rule, initially proposed in March 2022, would require public companies to submit a filing within four days of determining whether a cyber breach is material.

As part of that proposal, the SEC also sought additional disclosures from companies regarding their cyber governance, including board expertise and upper management involvement in cyber risk.

The SEC also proposed investment companies and advisors adopt written cybersecurity policies in February 2022.

The proposal stemmed from years of companies delaying or failing to disclose significant cyber breaches or ransomware attacks.

Companies have historically only reported about one-quarter of ransomware attacks to public authorities, according to a report from the U.S. Senate released in 2022. These incidents have largely been kept confidential, with arranged ransom payments to avoid data disclosures, consumer or investor lawsuits and reputational harm.

IT security experts say the delay will increase the level of risk, because many investors, consumers and companies will rely on voluntary disclosure of major cyberattacks.

“Without the hammer the SEC regulations can bring, reporting breaches will continue to be voluntary and historically that doesn’t work,” Gary Barlet, field CTO, federal at Illumio, said via email.

SEC officials have not publicly stated the reasons for the delay, but there has been significant pushback from various stakeholders regarding the four-day disclosure proposal.

Some organizations, like cybersecurity firm Rapid7, argued the proposed disclosure rules would risk making ongoing attacks part of the public record. Therefore, disclosure would potentially tip off criminal hackers if a company was required to go public before the incident was contained.

Rapid7 officials asked the SEC for the ability to let companies delay disclosure until attacks were mitigated.

New US