CORPORATE BREACHES EXPOSED — While Congress is out for the holidays, the Securities and Exchange Commission is delivering a lump of coal to corporate America in the form of new cybersecurity disclosure rules that kick in today. The move comes as the SEC tries to crack down on a deluge of C-suite cyberattacks, but it faces backlash from companies and lawmakers who argue the turnaround is just too tight. Here’s what the new rules mean. — Incident hotline: As of today, any major cyber breach deemed “material” (think data breaches or ransomware raids) has to be splashed onto their forms within four business days. When the cyber disclosure rules dropped Friday, that was only for companies whose fiscal years ended on that day. — Annual cyber audit: Every year, companies will dish on their cyber risk management strategies, board oversight and the juicy details of past breaches (if any). Think of it as a public cybersecurity report card, filed alongside the usual earnings babble. — And everyone’s invited: Foreign private issuers get their own disclosure rules, with comparable requirements for incidents and annual reports. — There’s no industry love: Companies for months have been lobbying for breathing room — including through national security and public safety exemptions — to get more disclosure time. “In the midst of an incident,” Nick Sanna, founder of the FAIR Institute and president of Safe Security, tells MC, “it is unlikely that [companies] can make a good assessment and disclosure on time if they haven’t adopted a quantitative model and tested it before.” Boardrooms have been arguing that four days is barely enough time to disentangle from ongoing hacks, patch major software flaws and avoid inadvertently giving attackers more intel. But top officials with the Department of Justice, CISA and the FBI poured cold water on those exemption pleas. Instead of a sweeping security shield, the DOJ said exemptions starting today “will be met not at all that often.” If a rare exemption is granted, victims would be offered a maximum of 120 additional days before disclosing the incident publicly. — Lawmakers aren’t too pleased either: At a House Homeland Security cyber subcommittee hearing last week, Chair Andrew Garbarino (R-N.Y.) unloaded on the flaws in the rules. His frustration? Palpable. His word? “Terrible.” And ranking member Rep. Eric Swalwell (D-Calif.) cut in with a “same.” You may even remember that Garbarino recently introduced a rare congressional procedure designed to overturn the SEC policy — with Sen. Thom Tillis (R-N.C.) introducing a companion measure. — What does this mean for the C-Suite?: Business as usual. Companies will now have to navigate short deadlines, limited exemptions and potentially tricky SEC inquiries. “Testing cyber disclosure processes during live incidents is a recipe for failure,” Sanna said.
|
No comments:
Post a Comment