In July of this year, the SEC started its long-anticipated big push toward keeping companies more responsible for cybersecurity incidents. The policy implemented in July takes full effect in December, but corporations (and especially those that have been breached in the interim) are already scrambling to respond to new regulations.
What’s the big change? Basically, the SEC this year adopted rules requiring companies to disclose “material cybersecurity incidents” they experience, and to disclose on an annual basis “material information” regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. These three new disclosure requirements will be submitted on Forms 8-K, 10-K, and 6-K, respectively.
Most public companies will be required to comply with the Form 8-K incident disclosure requirements beginning onDecember 18, 2023. Smaller reporting companies are eligible for an extension for complying with the Form 8-K incident disclosure requirements and have until June 15, 2024.
These new reporting requirements came about largely as a response to pressure from corporate investors and enforcement agencies for a streamlined, consistent cybe-iincident reporting system that counteracts the financial and reputational disincentives that corporations (naturally) have when it comes to disclosing cyberattacks. Cyberattacks are serious business, and stakeholders – including consumers – can’t be left in the dark.
“The investor community and commentators alike recognize that it is imperative that the SEC and courts act swiftly and severely, requiring companies to make robust and immediate disclosures of cybersecurity incidents, as well as implement safeguards to protect against cyberattacks,” states Reuters.
Corporations now have their feet to the fire in a big way – the disclosures are due a maximum of 4 days after the incident, which means that companies have to rapidly analyze the nature of the incident, see if it qualifies for reporting under the new SEC rules, and generate an appropriately detailed report that fits the SEC requirements.
If one of your vendors or other affiliated entities has filed an 8-K about a cyberattack, it means that a serious breach and/or leak has occurred, and that you need to take swift action to protect your organization. The language in the regulation denoting a “material” incident raises the reporting threshold high enough that any 8-K filing should be seen as highly significant. (Companies are still navigating how exactly to determine if a breach requires an 8-K filing, but recent 8-K filings from Clorox, Caesar’s, and MGM have all come in the wake of large, consequential breaches.)
Cyberattack 8-Ks must be filed within 4 business days of the incident. That might sound like a relatively fast reporting window, but, as we know, 4 business days is an eternity in the world of cybersecurity. In that time, leaked credentials could have spread around the world and be in the hands of thousands of hackers. Your own organization might already be being targeted, attacked, or even breached. The new Form 8-K regulations are a powerful step in the direction of accelerated breach disclosures, but security teams still need to be faster than the speed of public disclosures.
To stay on top of breaches and leaks (whether they’re related to your own domains, or to those of your vendors), real-time threat intelligence, based on in-depth, continuous dark web scanning, is imperative. Security teams need to know what the hackers know, and as close to simultaneously as possible. HackNotice’s Third Party Monitoring service offers threat intelligence about any third party, giving real-time alerts for any breaches, as well as providing a historical profile for each third party being monitored – including their dark web exposure and a synopsis of their historical breaches. HackNotice monitors your third-party vendors to keep you informed of any breaches that may affect your business, allowing you to quickly initiate incident responses. Plus, with First Party Monitoring and End User Monitoring, your security team will have real-time information about any close-to-home breaches and leaks. Check out a HackNotice demo here!
The SEC’s new cyberattack reporting rules will go a long way toward increasing corporate responsibility for breaches and leaks, and will help give investors, consumers, and other stakeholders the information they need to protect themselves. But there’s much more that can be done, and security professionals should stay up to date on the best methods for detecting cyberattacks long before public disclosures happen.
