SEC rules companies now have to report breaches within 4 days

New rules set out by the US Securities and Exchange Commission (SEC), require publicly traded companies in the US to report a “material” cyber-incident within four days of its discovery.

In its announcement, the SEC describes material incidents as those that the shareholders of the company would deem important “in making an investment decision”. The business watchdog also changed the rules on how foreign private issuers must disclose cybersecurity breaches. 

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," said SEC Chair Gary Gensler. "I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

Companies listed on stock exchanges must now detail any cyberattack in the 8-K periodic report filing forms within four days of its discovery. The details the SEC will be looking for include the attack’s nature, scope, and timing. Smaller firms will get a 180 days extension before being asked to provide 8-Ks, the SEC added.

There are exceptions to the rule, though. If the US Attorney General finds disclosing the data breach so quickly would undermine national security or public safety, the filing may be postponed.

Analysis: Why does it matter?

It was more than a year ago when the SEC first announced working on a new set of rules for reporting cybersecurity incidents. Back in March 2022, the watchdog said the goal of the new rules was to provide investors with timely notifications about cybersecurity incidents affecting publicly listed companies. That, in turn, should help them understand cybersecurity risk management and tweak their investment strategies accordingly. 

As per the rules, the listed company needs to report when it first discovered the incident and its status (active or resolved), a short description of the attack’s nature and extent, a list of compromised data, how the attack impacts its operations, and what the company is doing to tackle the issue. 

Technical specifics, incident response plans, or details about vulnerabilities abused in the attack can be kept away from the public eye, as these could affect how businesses approach the incident.

When it comes to being forced to report cyberattacks, the SEC’s hand was mostly forced, as many businesses went to great lengths to keep the events from reaching the press. Some, like Uber’s executives, for example, were even giving hackers and in-the-know employees hush money to delete stolen data and not talk about it any more.

Data breaches are important to disclose as they demonstrate transparency and honesty to customers, stakeholders, and the public. It also improves risk mitigation, as it allows affected individuals to react on time, change their login credentials, and safeguard other important digital assets. Furthermore, consumers are known for not wanting to work with breached businesses and those who handle such incidents poorly. Finally, not disclosing cyberattacks, especially when sensitive data gets stolen, exposes the company to potential lawsuits from affected parties, shareholders, and regulatory bodies, opening an entirely new can of worms. 

What have others said about SEC’s new rules?

Speaking to BleepingComputer, Lesley Ritter, Senior Vice President for Moody's Investors Service said the rules will improve transparency, but could cause some headache to smaller businesses: "The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability," Ritter told BleepingComputer.

"Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources."

In its writeup, The Hacker News focused on the fact that the rules refer to “material” cybeattacks, which gives more room for interpretation - and problems: "The key word here is 'material' and being able to determine what that actually means," Safe Security CEO Saket Modi told The Hacker News. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels."

The frame being “too tight” might also be an issue, as it may result in inaccurate disclosures, the publication further added. Discussing the matter with with James McQuiggan, security awareness advocate at KnowBe4, it was said that companies may take weeks, or even months to fully investigate a breach, and premature breach notifications could tip off other attackers about potentially vulnerable businesses: "The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," James McQuiggan, security awareness advocate at KnowBe4, said.

"Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours. Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan added.

Go deeper

To learn more, read our guides on the best malware removal software, as well as best endpoint protection solutions. You should also check out our best ID theft protection buying guide, and our list of the best firewalls around.