September 2023 sees the U.S. Securities and Exchange Commission (SEC) now requiring public companies to disclose a ‘material’ cybersecurity breach within four days was in effect.
Consequently, some firms will need to make significant adjustments or changes to their cybersecurity strategy. In addition, the new rules could have a profound impact on many risk management programs.
As well as the new four day requirement, impacted companies also need to provide information and updates regarding previously disclosed incidents on a quarterly basis.
According to George Gerchow, IANS Faculty and CSO and SVP of IT, Sumo Logic this marks “the beginning of the mandate for publicly traded companies to notify the SEC of a cyberattack within four days of a material cybersecurity incident”, as he explains to Digital Journal.
However, this milestone has another, more important and pending one: “The more important date is December 15 when companies are required to notify investors. The reality is that the majority of companies are heading into this mandate unprepared, while the responsibility falls on the CISO.”
What does this mean for businesses? The answer seems to be uncertainty, observes Gerchow. The expert notes: “There are still way too many unknowns at this time. We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous.”
Adding to this: “Furthermore, there is very little guidance on how companies should handle third-party attacks. Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident. So, how are companies going to pull in third-parties and their team to handle an incident within such a short timeframe?”
According to Gerchow’s rhetorical question: “Time will tell, but as of right now there are three major unanswered questions”.
Spelling these key questions out, Gerchow sets out:
What is the impact on your company?
How do you handle a four-day disclosure timeline, especially if a third-party is involved?
What are the penalties of failing to meet the reporting deadline?
It is essential that businesses start to get to graips with these. Gerchow concludes, noting: “With all the unknowns and ambiguity, all eyes will be on December 15—and the hope is that by then, we’ll have more information on penalties and more.”
