Official forum for Utopia Community
You are not logged in.
The US Securities and Exchange Commission (SEC) on Wednesday approved new regulations that mandate publicly traded companies disclose information about a cyber attack within four days of realizing it has a "material" impact on their finances. This represents a significant change in the way that data breaches are disclosed.
"It may be material to investors," SEC chair Gary Gensler said.
"Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident.". "At the moment, a lot of publicly traded companies inform investors about cybersecurity. However, I believe that if this disclosure were made in a manner that was more standardized, comparable, and useful for making decisions, both companies and investors would benefit. ".
In order to achieve this, the new obligations require businesses to disclose the incident's nature, scope, timing, and impact. However, if it is found that disclosing these details "would pose a substantial risk to national security or public safety," this disclosure may be postponed for an additional period of up to 60 days. ".
They also require registrants to annually describe the methods and approaches used for evaluating, identifying, and managing material risks from cybersecurity threats, describe the material effects or risks resulting from those events, and share details about ongoing or completed remediation efforts.
Saket Modi, CEO of Safe Security, told The Hacker News that the word "material" is crucial in this context because it must be understood. "Most organizations are unable to determine materiality, a crucial component of shareholder protection, so they are not ready to comply with the SEC guidelines. Systems to calculate risk at both the broad and specific levels are lacking. ".
The rules, however, do not apply to "specific, technical information about the Registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would prevent the Registrant from responding to or remediating the incident. ".
The policy, which was initially proposed in March 2022, is seen as an effort to increase transparency regarding the threats that nation-state actors and cybercrime pose to US companies, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
According to Kroll, a ransomware gang known as Cl0p has been responsible for a recent wave of cyber attacks that have affected more than 500 businesses. These attacks have been made possible by the exploitation of serious flaws in software that is frequently used in enterprise environments, and the threat actors are using new exfiltration techniques to steal data.
Amit Yoran, CEO and Chairman of Tenable, said the new regulations on cyber risk management and incident disclosure are "right on the money" and represent a "dramatic step toward greater transparency and accountability. ".
Investors should have the right to know about an organization's cyber risk management initiatives "when cyber breaches have real-life repercussions and reputational costs," Yoran continued.
However, given that it could take businesses weeks or even months to thoroughly investigate a breach, there have been concerns raised that the time frame is too short, which could result in inaccurate disclosures. Premature breach notification could alert additional attackers to a vulnerable target, increasing security risks, further complicating the situation.
According to James McQuiggan, a security awareness advocate at KnowBe4, the new SEC requirement requiring organizations to report cyber attacks or incidents within four days seems aggressive but falls within a more lenient time frame than other nations.
Companies have 72 hours to report a cyber incident within the European Union, the United Kingdom, Canada, South Africa, and Australia. There are 24 hours in some other nations, including Singapore and China. Within six hours, India is required to report the breach. ".
"In either case, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan further stated.
Offline