Delay Comes Amid Criticism of Rule Requiring 4-Day Disclosure of Material Incidents
Federal market regulators delayed until October a final decision for new rules mandating private sector disclosure of cybersecurity incidents and cyber expertise on public boards.
The U.S. Securities and Exchange Commission revealed the delay last week amid pushback to a proposal that publicly traded corporations disclose a “material cybersecurity incident” within four business days of discovery. Regulators had been expected to publish final rules as early as April 3, but now final action isn’t expected until October.
As part of the rules, federal regulators said investors should also know whether board members are competent in handling cybersecurity issues. The proposals, particularly for incident disclosure, yielded substantial comment from stakeholders, who submitted 177 responses and held 28 meetings with SEC officials, including one on May 17 (see: SEC Eyes Final Rules on Incident Disclosure, Board Expertise).
The U.S. Chamber of Commerce in comments representative of a wide swath of industry lobbying organizations accused the SEC in 2022 of attempting to “micromanage” corporate cybersecurity programs by “forcing them to allocate resources toward compliance-based reporting.” It criticized the four-day deadline as not giving companies enough time to accurately assess the severity of incidents and said forcing corporate boards to disclose board members with cybersecurity expertise would backfire, among other criticism.
The cybersecurity industry generally supports the rules with a notable exception in Rapid7, which met twice with SEC officials to voice concerns since the rules were first proposed in March 2022. “Public disclosure of an unmitigated or uncontained cyber incident will likely lead to attacker behaviors that cause additional harm to investors,” the company wrote on Aug. 29, 2022.
The rules received qualified support last week from the Digital Forensic Research Lab, which supports providing publicly accessible and standardized data about cyber incidents. The organization proposed allowing firms to delay reporting for ongoing or uncontained cyber incidents for up to 30 days as well as for incidents in which notification would have a negative effect on national security, as certified by the attorney general or the U.S. Cybersecurity and Infrastructure Security Agency.
“The SEC’s rule’s combination of public disclosure, broad applicability, and standardized reporting – coupled with enforcement by a well-resource federal agency – will provide a level of cybersecurity transparency that is more robust than existing incident disclosure requirements, including state-level data breach laws and sector-specific reporting requirements,” the Digital Forensic Research Lab wrote.
The Electronic Privacy Information Center said establishing incident response and minimum data breach reporting requirements for broker-dealers, investment companies, investment advisers and transfer agents would create stronger and more comprehensive regulations. EPIC said the SEC should ensure notifications give consumers enough information to understand what happened and take action (see: SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner).
“The costs associated with the incident response programs and more robust notification regime serve an important forcing function for entities that might otherwise not adequately invest in safeguards on the front end,” EPIC Executive Director Alan Butler wrote on June 5.