The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don’t release all the details of an incident before it’s solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don’t want hackers to know they’ve been discovered or to highlight a company’s weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn’t been remedied.
Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company’s cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed.
That comes with a national security risk too, as nation states often engage in or aid cyberattacks against companies. The SEC’s new rule will help states cover their tracks by alerting them to any discovery. And it’ll make it easier for them to find targets by highlighting what businesses are vulnerable and how.
The goal of the SEC’s new rule is to inform investors about attacks, which is a fine idea in principle. Investors should be informed about firms’ cybersecurity risks and sharing information about attacks can help other businesses optimize their own cyber defenses. Reporting is important, but companies should be allowed to resolve an incident before making it public.
Other regulators are racing to require companies to report problems even faster, creating the possibility of confusion of whom to report to and when. Following the European Union requirement of three days, Congress has charged the U.S. Department of Homeland Security to create rules that would also require reporting within three days of an incident, except for ransomware payments, which must be reported in one day. The New York State Department of Financial Services is also asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred. India has skipped a time frame altogether, requiring immediate reporting to the government.
Unlike the SEC rules, most of these allow for companies to investigate and remediate the incident. But it would be better if the U.S. agencies worked together to create common rules that give businesses a reasonable delay before they report. It would go a long way toward simplifying reporting standards if they clarified what information needs to be reported and when.
The key is to balance national security with other concerns, including the investor’s right to be informed. This balance can be achieved, but it will requires agencies to look past their own narrow priorities and putting the public interest, including national security, first.
Read Next
New Cybersecurity Executive Order, Same Mission: Protecting America's Digital Infrastructure
Since taking office speculation has swirled on what President Trump would do on cybersecurity. A new EO upholds previous messaging and underscores that cybersecurity isn't a partisan battle; it demands nonpartisan solutions to protect the nation.
Dual Drone EOs: A Boost to the Domestic Drone and Counter-Drone Industries
President Trump signed two executive orders with the stated purpose of supporting the domestic drone industry, while also protecting against the threats posed by the misuse and malicious use of drones.
Japan's new Active Cyber Defense Law: A Strategic Evolution in National Cybersecurity
Japan's National Parliament passed the landmark Active Cyber Defense Law, marking a pivotal shift in the country's cybersecurity strategy, encompassing a range of provisions aimed at modernizing Japan's institutions and enhancing cybersecurity.