The SEC's cybersecurity disclosure rules provide an excellent opportunity for companies to examine their security operations and reporting procedures and ensure compliance under the new rules.
Controversial cybersecurity disclosure regulations issued by the U.S. Securities and Exchange Commission (SEC) have placed increased scrutiny on cybersecurity operations and reporting.
These regulations require listed companies to report on their cybersecurity risk management and governance procedures and to promptly disclose cybersecurity incidents within four business days of identifying materiality. Masu. This move by the SEC, despite the complex and robust nature of the 200-word ruling, emphasizes the imperative for companies to proactively manage and report cybersecurity incidents.
However, companies must also address an important issue that the SEC did not discuss in its ruling: the impact of generative artificial intelligence (GenAI) on cybersecurity capabilities.
significant progress
These regulations represent significant progress towards increasing accountability and transparency when addressing cybersecurity risks and incidents. Companies should rethink and strengthen disclosure protocols, conduct thorough cybersecurity risk assessments, establish comprehensive incident response strategies, invest in cybersecurity infrastructure and training, and ensure compliance with new mandates. There is a need to establish clear communication channels for this purpose. While these requirements may seem important, companies should already be prioritizing protecting their operations regardless of regulatory directives from the SEC.
The prevalence of data breaches has been on the rise for several years and shows no signs of slowing down. For example, Bank of America suffered a data breach in November 2023 in which the information of tens of thousands of customers was compromised due to a ransomware attack targeting one of the bank's service providers, Infosys McAmish Systems. was hit by. Notifications to customers began in February, but state-mandated notification deadlines may be exceeded, and the report said more than 57,000 customers were affected, with no address, name, or social security information. Data such as numbers, dates of birth, and some bank account information were reportedly leaked.
Data breaches are prevalent across industries and organizations, costing U.S. businesses millions of dollars. The average cost of a single data breach is $4.45 million, highlighting the urgent need for robust cybersecurity measures across all sectors.
New rules and new risks
The SEC's cybersecurity disclosure rules, introduced in July 2023, changed the way publicly traded companies handle and disclose cybersecurity incidents. Regulation is multifaceted, but businesses need to understand:
Fast and comprehensive incident reporting — Companies must now disclose “major cybersecurity incidents” within a strict four business days after assessing the severity of the incident. This replaces the less specific “expedited” reporting criteria, which often caused delays. Companies must provide a detailed description of the incident, including the nature of the attack, the systems that were compromised, the potential impact on business functions and finances, and the company's response strategy.
Annual Cybersecurity Framework Disclosure — In addition to incident reporting, companies are now required to disclose their cybersecurity risk management policies, governance structures, and incident response protocols in their annual reports. This obligation addresses how material risks from cyber threats are assessed and controlled, how boards and management oversee cybersecurity, and how these safeguards fit into a company's broader risk management strategy. Outline how it fits.
Prioritize investor protection — These regulations aim to provide investors with reliable, up-to-date insight into how companies are tackling cyber risks, and to foster increased transparency and accountability within companies.
Cost of non-compliance — The SEC has not yet outlined the exact penalties for violating the new rules, but its enforcement powers are broad. Combined with other subversive actions such as cease-and-desist orders and cease-and-desist privileges, fines could reach up to $25 million. A further concern is that if a company fails to disclose material cybersecurity events, it increases the likelihood of lawsuits from investors and other stakeholders. SEC rules provide a strong basis for activist investors to challenge companies that fail to meet their obligations.
But what about GenAI?
The report is also notable for not mentioning the impact of GenAI. More and more companies are deploying GenAI to do everything from customer service to website search. However, GenAI is vulnerable to more sophisticated operations by bad actors, such as the ability to subvert chatbots and AI-powered search to leak customers' personal data or provide inaccurate information. It's vulnerable. Cracks can act like a slow leak in a tire. Companies may not notice them for quite some time. Nevertheless, the SEC's cybersecurity disclosure rules do not address the potentially devastating impact of a GenAI breach.
Of course, GenAI supports both methods. On the plus side, GenAI provides powerful tools to combat cybersecurity attacks and enhance a company's training capabilities and SEC reporting. However, GenAI must be actively managed, and companies must remember that human oversight remains critical throughout the process. This includes training the model to produce valid scenarios or report formats and continuously validating the quality of the output. GenAI helps with this, alerting you to potential oversharing in disclosures based on pre-set guidelines.
In addition to the SEC's failure to mention GenAI, the SEC's new cybersecurity disclosure rules have received their fair share of criticism. One of the big issues is the whole issue of “materiality” and strict reporting deadlines. Companies are required to determine whether an incident is serious enough to report “without undue delay” and report so to the SEC within four business days. This is a tall order considering it takes an average of 277 days to discover and contain most breaches. How can companies accurately assess the scope of an attack so quickly and without the possibility of misreporting important details?
Then there's the headache of disclosure. Companies must walk the tightrope of providing enough information to satisfy the SEC while avoiding revealing enough information to further jeopardize security. It's a delicate balance that leaves room for misunderstanding.
Even more concerning is the impact on public and national security. Some experts are concerned that rushing to publicize the case could jeopardize the investigation. A loophole in the SEC's rules allows the U.S. attorney general to delay disclosure for national security or safety reasons, but this solution is considered onerous and limited.
Despite these criticisms, the rules are the law. Companies now face the unenviable task of navigating these complexities as best they can. In fact, the SEC's disclosure rules should not be seen as a burden, but a catalyst for proactively improving cybersecurity. Companies that wait until reporting deadlines to address security are already operating at risk, and waiting for mandatory SEC intervention is a recipe for future breaches. Masu.
Corporate cybersecurity leaders need to take advantage of opportunities to improve now and stay ahead of the curve.
