The SEC’s cybersecurity disclosure rules offer companies a great opportunity to examine their own security operations and reporting procedures to ensure compliance under the new rules
Cybersecurity operations and reporting are undergoing a heightened level of scrutiny due to contentious cybersecurity disclosure regulations issued by the U.S. Securities and Exchange Commission (SEC).
These regulations mandate publicly traded companies to promptly disclose cybersecurity incidents within four business days of identifying their materiality, alongside reporting on their cybersecurity risk management and governance procedures. This move by the SEC underscores the imperative for businesses to actively manage and report cybersecurity incidents, despite the intricate and firm nature of the 200-word ruling.
However, businesses also must address a major issue that the SEC did not discuss in its ruling: the impact of generative artificial intelligence (GenAI) on their cybersecurity functions.
A notable step forward
These regulations mark a notable stride towards enhanced accountability and transparency in addressing cybersecurity risks and incidents. Companies are urged to revisit and enhance their disclosure protocols, conduct thorough cybersecurity risk evaluations, establish comprehensive incident-response strategies, invest in cybersecurity infrastructure and training, and institute clear communication channels to ensure compliance with the new mandates. Although these requirements may seem substantial, businesses should already be prioritizing safeguarding their operations, regardless of regulatory directives from the SEC.
The prevalence of data breaches has been on an upward trajectory for several years, with no sign of abating. For example, Bank of America suffered a data breach, in which tens of thousands of customers had their information compromised in a ransomware attack targeting Infosys McCamish Systems, one of the bank’s service providers, in November 2023. While notifications to customers began in February, potentially exceeding state-mandated notification deadlines, reports indicate that more than 57,000 customers were affected, with exposed data including addresses, names, Social Security numbers, dates of birth, and some banking details.
The pervasiveness of data breaches transcends industries and organizational sizes, inflicting millions of dollars in damages on US businesses. A single data breach’s average cost is $4.45 million, underscoring the pressing need for robust cybersecurity measures across all sectors.
New rules and new risks
The SEC’s cybersecurity disclosure rules, introduced in July 2023, have transformed how public companies must handle and disclose cybersecurity incidents. While the regulations are multifaceted, here’s what businesses must understand:
Swift, comprehensive incident reporting — Companies must now disclose “material cybersecurity incidents” within a strict four-business-day window after gauging the severity of the incident. This replaces the less specific “prompt” reporting standard that often caused delays. Companies must provide in-depth descriptions of the incident, including the attack’s nature, the systems compromised, the potential effects on business functions and finances, and the company’s response strategy.
Yearly disclosure of cybersecurity frameworks — Alongside incident reporting, companies are now obligated to reveal their cybersecurity risk management policies, governance structures, and incident response protocols in their annual reports. This mandate outlines how they evaluate and control material risks from cyber-threats, how their board and management oversee cybersecurity, and how these safeguards fit into the company’s broader risk management strategy.
Prioritizing investor protection — These regulations are designed to furnish investors with reliable, up-to-date insights into how companies tackle cyber-risks, fostering increased transparency and responsibility within the corporate world.
The cost of non-compliance — Although the SEC hasn’t yet outlined precise penalties for violating the new rules, their enforcement powers are far-reaching. Fines could reach up to $25 million alongside other disruptive actions like cease-and-desist orders or suspension-of-trading privileges. Even more concerning is the increased likelihood of lawsuits from investors or stakeholders if companies neglect to disclose material cybersecurity events. The SEC’s rules provide a strong basis for activist investors to challenge companies that fail to meet their obligations.
But what about GenAI?
The report is also notable for what it doesn’t address: the impact of GenAI. Businesses are increasingly adopting GenAI to do everything from customer service to website search. Yet, GenAI is vulnerable to more subtle forms of manipulation from bad actors, such as their ability to corrupt chatbots and AI-powered search to divulge private customer data or provide inaccurate information. The breaches can act like a slow leak in a tire; a business might not become aware of them for quite some time. And yet, the SEC cybersecurity disclosure rules do not address the potentially devastating impact of GenAI breaches.
GenAI cuts both ways, of course. On the plus side, GenAI offers potent tools to combat cybersecurity attacks and sharpen companies’ training abilities and even its SEC reporting. However, GenAI has to be actively managed, and companies should remember that human oversight remains vital throughout the process. This includes training the models to generate valid scenarios or report formats and continually verifying the outputs for quality. GenAI can even help with this, flagging potential oversharing in disclosures based on preset guidelines.
Beyond its failure to mention GenAI, the SEC’s new cybersecurity disclosure rules have had their fair share of critics. One major sticking point is the whole “materiality” issue and the tight reporting deadlines. Companies are expected to figure out if an incident is significant enough to report “without unreasonable delay” — then tell the SEC about it within four business days. That’s a tall order, considering it takes an average of 277 days to even spot and contain most breaches. How are companies supposed to accurately assess the scope of an attack that quickly, without potentially misreporting key details?
Then there’s the disclosure headache. Companies must walk a tightrope, providing enough information to satisfy the SEC while avoiding revealing so much that they put their security at further risk. It’s a delicate balance that leaves room for misinterpretation.
Even more concerning are the implications for public and national security. Some experts worry that rushing to disclose incidents could hinder investigations. The SEC’s rules do offer a loophole — the U.S. Attorney General can delay disclosure for national security or safety reasons — but this solution is considered cumbersome and limited.
Despite these criticisms, the rules are law. Companies now face the unenviable task of navigating these complexities as best they can. Indeed, the SEC’s disclosure rules should be seen not as a burden, but a catalyst for proactive cybersecurity improvement. Businesses that wait until mandatory reporting deadlines to address security are already operating from a position of risk — and waiting for the SEC to force your hand is a recipe for a future breach.
Company cybersecurity leaders should embrace the opportunity to improve now and stay ahead of the curve.