Asset Management, Breach, Threat Management

Prominent IT security group recommends SEC reconsider proposed incident reporting rules

Gary Gensler, chair of the U.S. Securities and Exchange Commission, takes his seat before the start of a Senate Banking, Housing, and Urban Affairs Committee hearing on Sept. 14, 2021, in Washington. (Photo by Bill Clark/Pool via Getty Images)

Since the Securities and Exchange Commission publicly proposed significant changes to its cybersecurity reporting rules two months ago, legal, financial and IT security experts alike have been offering their two cents on how useful (and practical) these changes might be.

The latest, and perhaps most pointed, feedback came earlier this week from the Internet Security Alliance (ISA), which filed its comments with the federal financial regulator on Monday.

The SEC’s initially publicized proposal would greatly shorten the turnaround time on cybersecurity incident reporting and policy changes. At the heart of these proposed changes, the SEC proposal would require the institutions to report on their cyber policies, procedures and methods within four days if it experiences a cyber incident that is considered “material," among other things.

In their comments this week, ISA officials urged the commission to reassess its recent proposal since the ISA claimed that these changes would not only present challenges for the companies that would be impacted, but the new requirements might actually create new financial concerns for companies that had already undergone online attacks.

“It is not the concept of disclosure about cybersecurity that is problematic as much as the types and methods of disclosure that ISA urges be reconsidered,” ISA President Larry Clinton said in a letter regarding the proposed SEC changes.

Instead, the multi-sector internet group suggested that the SEC should adopt a more “risk management [based] approach to developing disclosure rules, which would weigh benefits of disclosure against risks based on empirical data.” ISA suggested that since cybersecurity is only one area of regulatory oversight for the broad-based, financially focused commission, the SEC may be “underestimating” how difficult it might be to figure out how “material” various cyber incidents may be.

In addition, ISA officials claimed that demanding that intrusion details are reported within 96 hours might, in some cases, serve to help attackers more than the companies and investors these policies would seek to support, as well as creating the potential for stock manipulation or other financial fallout, which the SEC said it hoped these new proposals would fix.

The proposed SEC rules could, in fact, put information in the hands of bad actors, who could use it as a means to short stocks or effectuate short-term price drops, according to ISA’s feedback, which would effectively work in opposition to the SEC’s goals.

For example, ISA pointed out that while a ransomware attack’s damage (or “materiality”) might be quickly sussed out, the long-term effects and analysis could take much longer than four days. Rushing to offer insights, according to the ISA, could “create false information for the market.”

“The rules disclosures will either be informative or not,” Clinton said in his letter. “Since the attackers are more sophisticated than the investor community, any disclosure that is detailed enough to aid an investor will almost by definition be more helpful to the attacker.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.