The US Securities and Exchange Commission (SEC) has this week announced a new rule that requires public companies to disclose any security breaches within four days.
The time limit is specifically set for any breaches that could affect a company’s bottom line. However, delays will be permitted for anything that poses a threat to public safety or national security.
In an effort to protect investors, the new rules also require publicly traded companies to share information on their cybersecurity risk management and any cybersecurity expertise their executives hold.
This change follows the recent news that data breaches are on track to set a new record in 2023, with the number of victims increasing by 153% in the first half of this year alone.
SEC Acknowledge The “Growing Risk” Of Data Breaches
These new rules aim to provide transparency into the “growing risk” of data breaches and will hopefully push companies to bolster their cyber defenses.
Before now, no federal breach disclosure law has existed. Only healthcare providers and some critical infrastructure operators have been required by law to report them.
The SEC noted highlighted that whether a company “loses a factory in a fire or millions of files in a cybersecurity incident” it will impact investors.
The rule states that the four-day window of reporting doesn’t officially start until the company has confirmed the breach as material. However, the US Attorney General stated that the delay could be extended beyond 60 days under extraordinary circumstances, such as “a substantial risk to national security or public safety”.
Could This Rule Actually Help Hackers?
The rule was first proposed back in March 2022, when the SEC found that a rise in corporate network breaches and cybersecurity incidents caused an increased cost to investors. This was largely put down to the rise in digital operations and remote working.
Tenable CEO Amit Yoran, leading figure in cybersecurity, praised the new rule in a statement:
“For a long time, the largest and most powerful US companies have treated cybersecurity as a nice-to-have, not a must have. Now it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations.”
The new requirement hasn’t been met with total positivity or confidence everywhere, however. Concerned that hackers could benefit from information on how companies manage their cyber risk, Republican commissioner Hester Peirce stated that the rule overstepped the SEC’s authority and “seems designed to better meet the needs of would-be hackers”.
His statement went on to say that the temptation for the SEC to “micromanage” company operations is likely to increase following this latest requirement.
Companies Pay $4.5m To Deal With Breaches
The new SEC rule includes third-party apps and acknowledges the increased reliance companies have on outside cloud services for data and storage. These in part have been attributed to the rise in costs that companies face when dealing with cybersecurity incidents.
In a new report by IBM Security, researchers found that companies pay on average $4.5m to deal with breaches. This is a 15% increase from the past three years. And it’s not the businesses footing the bill for this, with many of those costs being passed on to consumers.
In fact, it seems as though consumers get hit the hardest should a breach happen, with the number of cybersecurity victims increasing from 62m to 157m in the first half of this year alone. This could include anything from having their social media account hacked into or their bank information being compromised.
As well as a decreased risk for investors, it’s hoped a reduction in consumers hit by incidents will also be seen If the SEC’s ruling is to work as expected.
