As the SEC's new data breach disclosure rules take effect, here’s what you need to know
Starting from today, December 18, publicly owned companies operating in the U.S. must comply with a new set of rules requiring them to disclose “material” cyber incidents within 96 hours. The regulation represents a significant shake-up for organizations, many of which have argued that the new rules open them up to more risk and that four days isn’t enough time to confirm a breach, understand its impact or coordinate notifications.
Regardless, those that don't comply — whether a newly listed organization or a company that has been publicly owned for decades — could face major consequences courtesy of the U.S. Securities and Exchange Commission (SEC).
What do businesses need to know?
Under the incoming cybersecurity disclosure requirements, first approved by the SEC in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC in a specific line item on a Form 8-K report within four business days. According to the regulator, the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more “consistent, comparable and decision-useful way” that will benefit investors and companies alike.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said at the time.
In an 8-K filing, breached organizations must describe the incident’s nature, scope, timing and material impact, including financial and operational. Notably, the regulation does not require companies to disclose any information “regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised,” as this could compromise ongoing recovery efforts.
“This means that companies must have the proper controls and procedures in place to ensure that a materiality determination can be made once a cybersecurity incident is detected,” Jane Norberg, a partner in the Securities Enforcement Defense practice at Washington, D.C.-based law firm Arnold & Porter. “Practically speaking, companies will also want to consider having the incident response team in the procedural chain when making materiality determinations.”
Norberg added: “The rule also includes breaches of the registrant’s information that may be residing on a third-party system. This means that a company will need to gather and assess information and make materiality determinations based on breaches of third-party systems.”
"I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.” Joe Sullivan, ex-Uber CSO
Smaller companies, which the SEC defines as companies with a public float of less than $250 million or less than $100 million in annual revenues, will get a 180-day extension before having to file their Form 8-K disclosing an incident.
There is also an exception to the four-day deadline for larger organizations, a clause added after businesses argued that prematurely making a cybersecurity vulnerability or incident public could impede ongoing law enforcement investigations. The SEC says the disclosure can be delayed if the U.S. attorney general determines that alerting shareholders to the incident “would pose a substantial risk to national security or public safety.”
The FBI will be responsible for collecting delay request forms and passing the viable ones on to the Department of Justice.
In addition to the SEC’s new data breach disclosure rules, the regulator has also added a new line item called Item 106 to the Regulation S-K that will be included on a company’s annual Form 10-K filing. This will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also disclose their management’s ability to assess and manage material risks from cyberattacks.
What are the consequences if businesses don't comply?
If an organization subject to SEC jurisdiction does not comply with the new rules on cybersecurity disclosures, this can lead to various consequences, the SEC says.
“The SEC has the authority to enforce compliance and may act against organizations that fail to adhere to the regulations. Some potential consequences include financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny,” Safi Raza, senior director of cybersecurity at Fusion Risk Management, told TechCrunch. “The SEC is unwavering in its commitment to protect investors, making it clear that enforcement measures will be implemented to ensure transparency and accountability.”
As demonstrated by the recent action taken by the SEC against SolarWinds and its chief information security officer (CISO), the regulator's action could be even more far-ranging.
“In that case, the SEC is seeking civil monetary penalties, disgorgement and to permanently bar the CISO from serving as an officer or director of a public company based on alleged material misstatements and failure to maintain proper disclosure and accounting controls in connection with the SolarWinds cyberattack,” Norberg said.
This controversial case shares similarities with the case against former Uber CSO Joe Sullivan, who in 2022 was found guilty on charges of obstructing an official proceeding and misprision of a felony — a failure-to-report-wrongdoing offense — related to a breach of Uber’s systems in 2014.
In a recent interview with TechCrunch, Sullivan said he welcomed the SEC’s data breach reporting rules, saying: "We can nitpick the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.”
Has there been pushback?
Unsurprisingly, yes.
Some companies have expressed concern about the short four-day reporting window to determine whether or not an incident is material and then report it to the SEC. Until now, many organizations have taken months to report a breach and only did so after they had completed their investigation.
"The real challenge for companies is to stay informed and on top of all the changing laws and requirements related to cybersecurity hygiene and breaches, and to put in place the proper controls, processes and procedures to reduce risk in this ever-evolving landscape," said Norberg.
Some organizations have also highlighted concerns surrounding the SEC’s definition of “material incidents,” given the regulator has not provided a materiality definition specific to cybersecurity events. Instead, the SEC directs companies to apply the long-standing definition of materiality that is used in securities law, which reads: “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available to investors.
Norberg added that there is also concern by businesses that the timing and breadth of information that needs to be disclosed “may give information to the hackers regarding steps taken by the company.”
In fact, they may have only just gone into force, but hackers have already abused the SEC’s new data breach rules. Earlier this year, the notorious Alphv/BlackCat ransomware group filed an SEC complaint against one of its victims, MeridianLink, for failing to report the incident to the regulator.
"It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules," a posting on the gang’s dark web leak site read.
Matthew Gracey-McMinn, head of threat research at cybersecurity company Netacea, told TechCrunch that this tactic — which is being adopted by attackers in a bid to extort extra money out of victims — could become a big problem going forward.
“We anticipate that this will become a common practice of most cyberattacks in 2024 and may act as an additional charge alongside, or even replace the encryption of data by, ransomware,” said Gracey-McMinn.