The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don’t release all the details of an incident before it’s solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don’t want hackers to know they’ve been discovered or to highlight a company’s weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn’t been remedied.
Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company’s cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed.
That comes with a national security risk too, as nation states often engage in or aid cyberattacks against companies. The SEC’s new rule will help states cover their tracks by alerting them to any discovery. And it’ll make it easier for them to find targets by highlighting what businesses are vulnerable and how.
The goal of the SEC’s new rule is to inform investors about attacks, which is a fine idea in principle. Investors should be informed about firms’ cybersecurity risks and sharing information about attacks can help other businesses optimize their own cyber defenses. Reporting is important, but companies should be allowed to resolve an incident before making it public.
Other regulators are racing to require companies to report problems even faster, creating the possibility of confusion of whom to report to and when. Following the European Union requirement of three days, Congress has charged the U.S. Department of Homeland Security to create rules that would also require reporting within three days of an incident, except for ransomware payments, which must be reported in one day. The New York State Department of Financial Services is also asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred. India has skipped a time frame altogether, requiring immediate reporting to the government.
Unlike the SEC rules, most of these allow for companies to investigate and remediate the incident. But it would be better if the U.S. agencies worked together to create common rules that give businesses a reasonable delay before they report. It would go a long way toward simplifying reporting standards if they clarified what information needs to be reported and when.
The key is to balance national security with other concerns, including the investor’s right to be informed. This balance can be achieved, but it will requires agencies to look past their own narrow priorities and putting the public interest, including national security, first.
Podcast: 'Artificial Intelligence and Chatbots … Helpful or Harmful?'
What can artificial intelligence technologies do and what are the risks and benefits associated with using these technologies - especially as they capture everyone’s interest and attention.
EU’s Cyber Resilience Act can bolster security, but lacks structure
The Cyber Resilience Act can, if done correctly, meet its objectives to bolster the security and resilience of products, however, as structured its effectiveness may be undermined.
Bureau for Cyber Statistics Proposed
A proposed Bureau for Cyber Statistics would centralize cybersecurity data collection, produce informative analysis reports, and inform policymaker’s decisions regarding cybersecurity.