Infosec experts divided on SEC four-day reporting rule
Professionals in the cybersecurity industry voiced concerns and praises of new incident disclosure rules that allow companies four days to report a "material" cyber attack.
The Securities and Exchange Commission's newly adopted cybersecurity rules may promote transparency for breaches and attacks. But infosec experts agree more time is needed to assess the consequences – both negative or positive.
Last week, the SEC announced the adoption of new cybersecurity risk management, strategy, governance and incident disclosure rules that would require public companies to report cyber attacks on Form 8-K filings within four business days. The new rules were proposed last year and will likely become finalized 30 days after adoption.
A lack of transparency and timely reporting have been ongoing concerns in the cybersecurity industry, particularly when it comes to companies disclosing ransomware attacks. While experts agree the reporting rules may promote better cyber hygiene and increased transparency, adverse consequences could arise if an incident is publicly disclosed before it is contained mitigated.
Additionally, cybersecurity professionals were mixed regarding the lack of clarity the rules provide for companies.
Vagueness was a main concern for Tara Wisniewski, executive vice president of global markets and member engagement at cybersecurity nonprofit ISC2. The ruling poses more questions than answers, she said.
"We think it's going to create more ambiguity and not less. For example, there are no concrete definitions of a number of terms. There are no concrete definitions for which cyber incidents must be disclosed. There's no definition of what constitutes materiality. There is also still no clear definition of what cyber expertise entails," Wisniewski said.
While Nick DeLena, cybersecurity and privacy advisory partner at accounting firm PFK O'Connor Davies, agreed that the SEC's definition of "material" is vague, he said it comes down to whether a reasonable investor would view the information as a factor in whether to buy the company's stock.
DeLena highlighted the SEC's Rule 405 on materiality, which states, "When used to qualify a requirement for the furnishing of information as to any subject, [materiality] limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered."
The reporting ruling will give companies four business days after a breach was discovered to be "material" to disclose to the SEC, rather than four days after a breach was simply discovered. DeLena believes it's an important distinction that will give enterprises adequate time to detect, respond, recover and analyze a breach before needing to respond to the SEC.
"As a result, the SEC should get better informed information about the true financial impact of breaches to public companies," DeLena said.
Christopher Budd, director of threat research at Sophos, agreed that the rule is beneficial for enterprises and the industry because it provides clarity and a baseline of expectations and requirements. Now public companies should include the four-day rule in incident response plans, he said, and adjust and shape those plans to support it.
Transparency woes
Tenable CEO Amit Yoran said a potential benefit from the SEC reporting rule was greater transparency, which is an ongoing concern. Last year, the Committee on Homeland Security and Governmental Affairs published a report titled "Use of Cryptocurrency in Ransomware Attacks, Available Data and National Security Concerns" that described ransomware reporting as "fragmented and incomplete." The problem remains ongoing, as many companies only report breaches after being added to a ransomware group's public data leak site, used to pressure victim organizations into paying.
"When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Yoran said in an email to TechTarget Editorial. "This is a dramatic step toward greater transparency and accountability and will greatly improve our cybersecurity preparedness as a nation."
In addition to the four-day reporting rule, the SEC will require companies to "describe their processes for assessing, identifying and managing material risks from cybersecurity threats" on an annual report on Form 10-K. Companies will also have to disclose the board of directors' oversights of risks from cybersecurity threats and management's role in the ability to assess and manage material risks. Yoran emphasized the positive effect those rules could have on cyber hygiene.
The SEC has made it abundantly clear, he said, that corporate leaders must elevate cybersecurity within their organizations. The rules may regulate cyber hygiene implementations and provide a more complete picture of a company's security posture.
"Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will keep customers and investors better informed as to who they trust with their business," Yoran said.
On the other hand, Wisniewski is concerned the board oversight requirements don't go far enough. The ISC2 would like to see a more formal framework and oversight, she said. Currently, the rules put more pressure on the technical professionals, and cybersecurity teams are already understaffed as is.
Will it give an advantage to the attacker?
While being upfront after a cyber attack can be beneficial, the infosec community has long debated how much transparency might be too much. The new SEC rules fuel the ongoing debate, which Wisniewski said further highlights a lack of consensus within the cybersecurity community.
One potential downside to the hard-and-fast reporting rule, Budd noted, is that information about incidents may trickle out over time rather than come as a single, definitive and authoritative statement. "This is because incidents and investigations take time and so organizations may not have the full story yet after four days and need to provide ongoing updates after the initial disclosure," Budd said.
Yoran said the SEC has attempted to address the short turn-around concerns by narrowing the amount of information that must be disclosed. The rule requires disclosure of the impact of the incident rather than details about the incident itself, he said, which may minimize risk around sharing too much information that may benefit the attacker.
"Ultimately, the SEC weighed in favor of investors deserving timely, standardized disclosures of cybersecurity incidents that materially affect registrant's business," Yoran said.
However, the most important aspect of the transparency debate is whether shared information will give the advantage to the attackers rather than the organizations.
When the cybersecurity rules were first proposed by the SEC last year, Harley Geiger, counsel for Venable LLP and former senior director of public policy for Rapid7, detailed potential problems in a blog post. His main concern revolved around the consequences of companies disclosing a cyber incident before it has been contained or mitigated. However, he also said Rapid7 generally supported the proposed rule, but a balance of the risks and benefits of transparency was necessary.
Geiger offered scenarios that would benefit the attacker while hurting the victim. For example, he emphasized how attackers will maintain persistence inside a victim organization sometimes for years. Discovered attackers could cover their forensic trail or accelerate data theft or extortion activities. Additionally, it could alert attackers to a vulnerability that's present in other companies, he warned.
"The public disclosure of material cybersecurity incidents prior to containment or mitigation may cause greater harm to investors than a delay in public disclosure," Geiger wrote in the blog post. "We recommend that the SEC provide an exemption to the proposed reporting requirements, enabling a company to delay public disclosure of an uncontained or unmitigated incident if certain conditions are met."
Last August, Rapid7 issued comments to the SEC about the proposed rules. While the cybersecurity vendor said it supported many aspects of the proposal, it also voiced concern that premature disclosure could put investors at risk. In an email to TechTarget Editorial, Rapid7 said the RFI filing from August 2022 still reflects the company's current stance.
The filing also echoed Geiger's recommendation for exemptions to the reporting rule. The SEC addressed that concern in the new rules, which state a disclosure may be delayed if the U.S. Attorney General determines it would "pose a substantial risk to national security or public safety."
While infosec experts agree it's going to take time and practical experience to see how effective the allowances will be, the vagueness may again cause concern. Budd highlighted how there are general but not specific guidelines on how petitions for these allowances will be considered. On the other hand, Yoran said the allowance delay rule aligns with other public reporting and disclosure timelines of a material nature.
Still, Yoran acknowledged an industry-wide concern that a four-day reporting rule may put a victim organization at a disadvantage if it's not had enough time to gather all the facts. He highlighted one cyber incident -- the SolarWinds supply chain attacks -- where he did not believe it impeded the victim organization.
"Consider that Mandiant didn't have all the facts when they sounded the alarm about the SolarWinds breach, but they disclosed what they could. And it ended up creating transparency for the entire industry and likely helped lots of customers avoid disaster," Yoran said.
Another potential problem Wisniewski addressed is how far the reporting rule may extend. For example, will companies be required to report to cyber insurance carriers as well? Depending on its risk register, some boards will require reporting to insurance carriers promptly. Additionally, she said that some cyber insurance policies require the insured to report directly to the carrier when the incident reaches a certain risk level.
In the end, Wisniewski said the SEC reporting rules give regulators in general an opportunity to engage organizations in the field and explain what their thinking is about the requirements and cybersecurity in general. "I think it's much more effective if there is almost a partnership mindset as opposed to a policing mindset," she said.