A proposal from the US Securities and Exchange Commission to compel companies to disclose cybersecurity incidents has received strong support from cybersecurity professionals.
There are two components to the proposal. The first is mandatory cybersecurity incident reporting of “material” incidents. The disclosure of incidents would be via an 8-K form and must be reported within four business days of the incident.
The second component would require companies to disclose their policies to manage cybersecurity risk, including providing updates on previously reported material cybersecurity incidents.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” SEC Chair Gary Gensler said in a March 9 statement. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. ”
So far, the SEC has only put forward the mandatory reporting requirement as a proposal. There is now a 60-day comment period.
The reaction from those in the cybersecurity business was positive, with many praising the proposal as a step in the right direction.
“This is a good move on the SEC’s part to standardize breach reporting and procedures for publicly traded companies and keep them accountable,” Ray Kelly, a fellow at application security company NTT Security AppSec Solitions Inc., told SiliconANGLE. “The current policies – which do not specify a timeframe to report cybersecurity incidents to the public – have essentially allowed companies to disclose this critical information on their own merit, which could affect stock price or mergers and acquisitions.”
Jasmine Henry, field security director at cyber asset management and government solutions provider JupiterOne Inc., said the SEC’s proposed rule amendments are a positive step toward transparency and accountability.
“It’s a public recognition that security is a basic right and that organizations have an ethical responsibility to their shareholders to proactively manage cyber risk,” Henry said. “I am particularly encouraged by the SEC’s attention towards cyber incident recovery in the proposed rule amendments, since implementing meaningful change is the most important part of learning from a cybersecurity incident.”
Davis McCarthy, principal security researcher at cloud-native network security services company Valtix Inc., said that as investors gain visibility into how companies secure data, it’s possible the SEC’s amendments will improve cybersecurity standards of the private sector.
“Security posture, risk management and incident handling could become a competitive advantage – who wants to invest in a company that leaves their front door unlocked?” McCarthy said. “As they scramble to validate their posture, many companies will realize that their security solutions are underperforming and that their attack surface has grown in a new direction.”