Controversial new Securities and Exchange Commission rules that will take effect Aug. 26 are designed to create consistency to cybersecurity-related disclosures, said SEC Chair Gary Gensler — but one aspect of the mandate has some area experts concerned.
“The companies that are pushing back are concerned about the four days,” said Chief Technology Officer Michael Jenkins of Orlando-based ThreatLocker. “The rules say a publicly traded company must file a Form 8-K disclosure within four days of learning about a cybersecurity incident such as a breach. That’s too soon.”
Jenkins said he supports responsible disclosure and transparency that build stakeholder trust, but the irony here is disclosing so quickly could be considered irresponsible.
“If you're publicizing a vulnerability within four days of it happening, you're putting other businesses at risk,” he said.
For example, Jenkins said WannaCry, the fastest-spreading cybercrime attack in history, gained the momentum it did because it was announced, tipping off hackers who used the information to capitalize on a Windows vulnerability. WannaCry caused about $4 billion in damages worldwide, “but if that vulnerability had never been published, WannaCry would only have happened in small, isolated areas."
Jay A. Cohen, owner of Jayco CIO Services in The Villages, said he understands why the SEC is getting tougher and why agencies like the SEC want more accountability from companies and their cybersecurity operations. “I'm sure there have been a lot of lawsuits from shareholders who asked, ‘Why didn't you tell us sooner?’ ”
In fact, Yahoo paid a $29 million settlement in a shareholder derivative lawsuit in 2019. Home Depot Inc. (NYSE: HD) and Twenty-First Century Fox Inc. (Nasdaq: FOXA) also were sued over data breaches in recent years. On top of that, there has been a 154% increase in the last year in federal data breach class-action lawsuits, according to Law.com.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said Gensler in a prepared statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.”
The new rules, conscious of shareholder interests, don’t seem far-fetched to Cohen, but he also believes four days may not be enough: “After a cyber incident, you need time to mop up and really do your risk assessment to know if damage was done and what the damage was. Four days might not be enough. I would think 10 days would probably be a little bit better, but even then, how much should be disclosed early on? As more information is gathered, statements about the incident will be better informed. The picture could be better than what was initially thought, but by then, the company’s reputation is damaged.”
Cohen said he thinks companies will provide brief answers to questions on the 8-K form.
" 'Yes, we were hit. There's no damage as far as we know right now.' And then they may make a statement a few days later to say ‘Yes, we did our assessment there was damage and here's what we found.’ ”
The SEC and cybersecurity
- 2011: SEC issues guidelines on cybersecurity disclosures for the first time.
- 2018: SEC expands on 2011 guidance with supplementary information.
- 2023: SEC standardizes disclosures made by public companies.
Sign up here for The Beat, Orlando Inno’s free newsletter. And be sure to follow us on LinkedIn, Facebook and Twitter.