SEC Delays Final Rules on Breach Disclosure, Board Expertise

Delay Comes Amid Criticism of Rule Requiring 4-Day Disclosure of Material Incidents
SEC Delays Final Rules on Breach Disclosure, Board Expertise

Federal market regulators delayed until October a final decision for new rules mandating private sector disclosure of cybersecurity incidents and cyber expertise on public boards.

See Also: 11 Guidelines for Minimizing Vulnerability for IBM z/OS while Improving Compliance

The U.S. Securities and Exchange Commission revealed the delay last week amid pushback to a proposal that publicly traded corporations disclose a "material cybersecurity incident" within four business days of discovery. Regulators had been expected to publish final rules as early as April 3, but now final action isn't expected until October.

As part of the rules, federal regulators said investors should also know whether board members are competent in handling cybersecurity issues. The proposals, particularly for incident disclosure, yielded substantial comment from stakeholders, who submitted 177 responses and held 28 meetings with SEC officials, including one on May 17 (see: SEC Eyes Final Rules on Incident Disclosure, Board Expertise).

The U.S. Chamber of Commerce in comments representative of a wide swath of industry lobbying organizations accused the SEC in 2022 of attempting to "micromanage" corporate cybersecurity programs by "forcing them to allocate resources toward compliance-based reporting." It criticized the four-day deadline as not giving companies enough time to accurately assess the severity of incidents and said forcing corporate boards to disclose board members with cybersecurity expertise would backfire, among other criticism.

The cybersecurity industry generally supports the rules with a notable exception in Rapid7, which met twice with SEC officials to voice concerns since the rules were first proposed in March 2022. "Public disclosure of an unmitigated or uncontained cyber incident will likely lead to attacker behaviors that cause additional harm to investors," the company wrote on Aug. 29, 2022.

The rules received qualified support last week from the Digital Forensic Research Lab, which supports providing publicly accessible and standardized data about cyber incidents. The organization proposed allowing firms to delay reporting for ongoing or uncontained cyber incidents for up to 30 days as well as for incidents in which notification would have a negative effect on national security, as certified by the attorney general or the U.S. Cybersecurity and Infrastructure Security Agency.

"The SEC's rule's combination of public disclosure, broad applicability, and standardized reporting - coupled with enforcement by a well-resource federal agency - will provide a level of cybersecurity transparency that is more robust than existing incident disclosure requirements, including state-level data breach laws and sector-specific reporting requirements," the Digital Forensic Research Lab wrote.

The Electronic Privacy Information Center said establishing incident response and minimum data breach reporting requirements for broker-dealers, investment companies, investment advisers and transfer agents would create stronger and more comprehensive regulations. EPIC said the SEC should ensure notifications give consumers enough information to understand what happened and take action (see: SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner).

"The costs associated with the incident response programs and more robust notification regime serve an important forcing function for entities that might otherwise not adequately invest in safeguards on the front end," EPIC Executive Director Alan Butler wrote on June 5.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.