In the wake of ongoing cyber threats from Russia, the U.S. Securities and Exchange Commission (SEC) is proposing new cybersecurity rules to amp up cyber-incident reporting.
Specifically, the SEC is recommending "mandatory cybersecurity incident reporting” within four business days of an incident being spotted. The commission has pointed out that over the past decade, cyber-incident reporting has been “inconsistent.” Also, the SEC is requiring that disclosures on corporate cybersecurity policies be more consistent, with reporting happening in 30 days from the incident’s publishing in the Federal Register, or 60 days after it is issued.
“While in the near term, firms will not like this new requirement, they should see it as an opportunity to demonstrate that they are doing cybersecurity and risk management better than competitors in the market,” said Padraic O'Reilly, cyber risk adviser for the Department of Defense and co-founder of the cyber-risk firm CyberSaint.
“Having a solid governance approach to cyber-risk management is a business opportunity and needs to be looked at as an investment,” he said. “Ultimately, cyber- and risk management have to be part of investor due diligence and more transparency is long overdue.”
Under the SEC’s recent proposals, certain financial firms and listed companies must report cyberattacks to their regulators, create detailed plans for responding to hacks and explain how they manage cybersecurity at all levels. Many industry experts believe this new proposed rule will support financial firms’ ability to fend off cyberattacks."
"The proposed new rule by the SEC, which would require public organizations to disclose cyberattacks within four days, will ensure that organizations are transparent when it comes to disclosing breaches,” said Dr. Francis Gaffney, director for threat intelligence and response for Mimecast. “And it should also help their leaders place more importance on cyber resilience.”
“Cyberattacks are on the rise, and it is often a question of when, not if, one will occur,” Gaffney said. “It is vital business leaders have adequate, multi-layered cybersecurity measures in place as well as a well-rehearsed cyber resilience response plan. Cybersecurity awareness training for their staff that is frequent and engaging also is a crucial defense against cyberattacks.”
