SEC Sets 4-Day Deadline for Public Companies to Report Hacks

Companies hit by cyberattacks face a four-day deadline for publicly disclosing significant impact under controversial new rules approved Wednesday by the US Securities and Exchange Commission.

(Bloomberg) — Companies hit by cyberattacks face a four-day deadline for publicly disclosing significant impact under controversial new rules approved Wednesday by the US Securities and Exchange Commission.

Those rules, proposed last year and vigorously contested by trade organizations and businesses, would require publicly traded firms to file details of a cyberattack within four days of identifying that it has a material impact.

The markets regulator’s disclosure rules are its latest effort to boost transparency into cyber threats after years of relentless attacks against businesses from both criminal gangs and hackers backed by nation states. They also seek to address gaps in existing cybersecurity disclosures, according to the agency.

Publicly traded companies currently rely on SEC guidelines for when to address cyber risks and incidents that are considered relevant for investors. That has created a hodgepodge of cyber incident reporting. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all.

Potential Delay

Companies could delay disclosure if revealing information about a hack would pose a significant risk to national security or public safety, as determined by the US attorney general. The delay, added to the newest version of the rules, responds to business concerns with the commission’s initial proposal. Business groups pushed for the delay clause, arguing that prematurely making a cybersecurity vulnerability or incident public could impede an ongoing law enforcement investigation. 

“The risk that a large segment of customers will lose faith in a business’s ability to protect sensitive personal information may certainly be material to an investor’s decision to invest in a company,” said Commissioner Jaime Lizárraga, one of three commissioners who supported the new rules. “That’s especially the case in a post-Covid world where working people in our country spend greater amounts of time working remotely.”

Events that warrant reporting could include cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage, he said. The addition of an allowance for delaying cyber breaches if the attorney general notifies the SEC that a disclosure would pose a risk to national security was “sufficiently narrow” and strikes the appropriate balance between the commission’s prerogative to protect investors and the Department of Justice’s priorities around national security and public safety, Lizárraga said.

Christopher Hetner, a former cybersecurity adviser at the SEC who now provides guidance to the National Association of Corporate Directors on the issue, said, “The outcome of this rule will be to create more normalcy across disclosures.” Existing cyber disclosures are highly fragmented, unlike financial statements that are consistent thanks to common accounting standards, Hetner said.

Commissioner Hester Peirce, one of two commissioners who opposed the rules, worried that the short period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with new information that was unavailable at first. 

Others pushed back on the proposal prior to the vote. For instance, the Information Technology Industry Council, a trade association, criticized the four-day deadline as too short because companies would be unlikely to know much about the incident at that point. 

Third-Party Vendors

Shardul Desai, a partner at Holland & Knight and a former federal prosecutor, said companies were concerned that the SEC was vague in defining how an incident would become material in the regulator’s eyes. “How much detail is going to be required in that 8K filing without these companies knowing all the details?” he said, in an interview on Tuesday. 

Some pushed the SEC to include a carve out for hacks that originate with a third-party such as software or cloud storage providers. Without it, companies will have to better coordinate with vendors, said Erez Liebermann, a partner at Debevoise & Plimpton LLP and a former cyber crimes prosecutor, in an interview on Wednesday.

“Third-party risk management programs will have to be beefed up to ensure that you know about incidents quickly,” he said. Disclosing the impacts of a ransomware attack while it’s ongoing could also give hackers “the upper hand” in negotiations, which often take two or three weeks, Liebermann said. Businesses typically try to downplay the impact of an attack while negotiating with a hacker, he said.

The SEC has proposed another cyber reporting rule for investment advisers and funds, plus a similar rule for stock exchanges and other US securities market players.

Companies that fail to be forthcoming with information about cyber events can face probes and fines from the SEC over misleading investors. Software firm SolarWinds Corp., for example, has been notified of a potential agency enforcement action in connection to an extensive hacking campaign, disclosed in 2020, that infiltrated computer systems in US government and in corporate America.

 

(Updates with comments from Christopher Hetner in eight paragraph. A previous version of this story corrected the title of a law firm in the 12th paragraph.)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.