The SEC’s newly proposed deadline for cyber breach reporting ramps up pressure on companies to quickly gauge the business impacts of such events.
Under the Securities and Exchange Commission’s proposed rule, publicly traded companies would have to disclose a cybersecurity incident within four days of determining that it’s considered “material,” or important to the average investor. It’s a departure from other breach notification rules, imposed by states or on certain industries, that lay out a timeframe for companies to disclose after discovering a data leak.
This “subtle shift” puts the onus on companies to comprehend the operational and strategic risks that cyber incidents pose, said Bob Zukis, founder and chief executive of the Digital Directors Network. The group advocates for executives with cyber expertise to sit on corporate boards.
“It really ratchets up accountability on companies to truly understand the cyber risk environment,” said Zukis, who also teaches at the University of Southern California’s Marshall School of Business.
The SEC’s proposal, issued Wednesday, is meant to address inconsistencies in disclosures that public companies make on cyber issues, according to the agency.
Some cybersecurity incidents are reported in the media but not disclosed in filings to investors, the proposal said. Companies also offer varying amounts of detail on the impacts of a hack and their response to it, the commission said.
The number of breaches reported by public companies has increased over the past decade, rising from just 28 breaches in 2011 to 117 breaches in 2020, according to an Audit Analytics report. Disclosure trends indicate companies are discovering breaches sooner but taking their time to report them, the report found.
The average corporate data breach cost $4.24 million in 2021, the highest total reported by the Ponemon Institute and IBM Security in their annual report.
The SEC’s proposal is subject to a period of public comment before it can be finalized with commission members’ vote.
Commenters are likely to give feedback on whether four days is a “workable” timeframe for companies to provide the cyber disclosures that the commission is seeking, said Haima Marlier, a partner at Morrison & Foerster LLP and former senior trial counsel at the SEC.
“Even after materiality is determined, there may be a lot of information about an incident that’s still not yet known four days in,” Marlier said.
For breaches involving consumer data, states set their own standards for how soon to alert regulators and people whose information was exposed, ranging from hours to days and weeks.
There are also sector-specific breach reporting rules. In New York, financial institutions must report a breach to their regulator within 72 hours of discovering the incident.
The main federal bank regulators—the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Federal Reserve Board—have proposed their own 36-hour breach notification standard.
The SEC’s proposal builds on its 2018 guidance that told companies to disclose cyber risks and incidents that are considered relevant to their financial condition and to investors’ decision-making.
Such reporting should cover potential impacts on a company’s operations and reputation from a cyber incident, as well as any resulting regulatory investigations or lawsuits, according to the guidance. The 2018 guidance, which updated an earlier 2011 document, also told companies to explain the board’s role in overseeing cyber risks.
The new proposed rule would go a step further to require that companies disclose their directors’ level of cyber expertise.
This requirement is a “recognition” of the board’s role in cybersecurity oversight, much like the way directors are expected to have financial knowledge to oversee corporate accounting, said Alan Brill, a senior managing director with Kroll LLC’s cyber risk practice.
“The commission is saying the board can’t stick its head in the sand when it comes to cybersecurity,” Brill said.
The challenge for public companies will be translating the language of cybersecurity risks and incidents into terms that are useful to their executives, directors, and shareholders, said Chris Hetner, former senior cybersecurity adviser to two of the commission’s chairs. He currently works with boards as a cyber adviser to the National Association of Corporate Directors.
“There’s going to be a bit of a learning curve,” Hetner said.