The SEC proposed new rules requiring public companies to report cybersecurity incidents within four business days. Pictured: Gary Gensler, chair of the U.S. Securities and Exchange Commission, testifies before a Senate Banking, Housing, and Urban Affairs Committee oversight on Sept. 14, 2021, in Washington (Photo by Evelyn Hockstein/Pool via Getty Images)

The Securities and Exchange Commission this week proposed new rules that would require public companies to report a cybersecurity incident within four business days after the organization determines that it has experienced a "material cybersecurity incident."

The move came less than a month after Maine Sens. Susan Collins, a Republican, and Angus King, an independent, joined a bipartisan group of their colleagues in writing a letter to SEC Chair Gary Gensler, urging increased transparency requirements for companies.

“We write to urge the SEC to propose rules regarding cybersecurity disclosures and reporting,” wrote the senators. “We further urge you to coordinate the formulation of these rules with the National Cyber Director. As you know, cybersecurity is among our most significant national security and economic challenges. Daily interactions increasingly take place in cyberspace, leading to more persistent and complex cybersecurity threats. Costs of cyberattacks have also been on the rise.”

The new SEC rules would also require public companies to provide updated disclosure on previously disclosed cybersecurity incidents. Public companies would also have to report their policies and procedures for identifying and managing cybersecurity risks; the company’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks; and management’s role and relevant expertise in assessing and managing cybersecurity-related risks and implementing related policies, procedures, and strategies.

Willy Leichter, CMO at LogicHub, said starting with HIPAA in the late 1990s, mandatory breach disclosure laws have had an enormous impact, forcing organizations to “do the right thing” contrary to a natural corporate tendency to keep problems quiet.

“Reporting in four days will be extremely challenging for many enterprises, but frankly, that's still an eternity for attackers to do damage and spread laterally to new targets,” Leichter said. “The goal is not to blame the victim, or embarrass organizations that have been breached. But few tactics are more effective at forcing organizations to proactively prevent breaches and avoid the stigma of a breach.”

Tim Helming, security evangelist at DomainTools, added that while he thought the spirit of the SEC’s proposal was commendable, there are some legitimate reasons to push back, as well. Helming said four days is a short timeframe for getting enough perspective on a cyber event to make truly informed disclosure statements.

“The facts would almost certainly evolve as more became known, and these discoveries could render the initial disclosure statement quite inaccurate,” Helming said. “Investors, customers, and other stakeholders need timely disclosure, but they need accuracy and perspective as well, and these would be very challenging for even the best-resourced organizations to provide in such a compressed timeline. Preparing a hasty disclosure would almost certainly hamper the incident response team’s capacity to develop the best responses and mitigations during a critical, high-pressure event.”

Joseph Carson, chief security scientist and advisory CISO at Delinea, said the SEC’s proposals reinforce the importance of being incident-response ready, and having a solid backup and recovery strategy that includes ransomware mitigation, enforcing strong identity and access security controls, and ensuring auditing and compliance best practices are prioritized.

“However, the proposals appear to treat data breaches and cybersecurity incidents all equally rather than risk-based, which is a big surprise,” Carson said. “We know that the impact and severity of data breaches and cybersecurity incidents can vary significantly depending on the scale and type of data impacted. Organizations are really going to need to ramp-up their incident response plans to be incident-response-ready as many organizations even after four days of discovering a data breach are still trying to identify the impact so reporting an incident at the same time will require quick incident response capabilities.”