The Securities and Exchange Commission (SEC) adopted new rules for reporting cybersecurity incidents that have some experts concerned they may give criminals the upper hand. The new rules set to go into effect in December require large corporations to report “material” cybersecurity incidents within four days, reveal how they detected the incident, and describe board oversight of the response. The rules are designed to protect investors, and the SEC compared the disclosure of a cybersecurity incident to a fire, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement.
Critics of the new law say that four days is insufficient to provide accurate information for public consumption and the descriptor of “material” is too vague for legal departments to follow. The attack may still be ongoing after four days, and the disclosure could give the criminal more information to continue the attack. Cybersecurity experts are also concerned that disclosing how the incident was detected will give criminals clues on hiding future attacks.
The rules go into effect for large companies in December, while smaller companies have until July 2024 to comply with the new reporting system. The rules are designed for publicly traded companies, but experts are already putting smaller private companies on notice. Large corporations utilize many small private businesses in their supply chain, and these rules will trickle down to small and medium-sized businesses quickly.
The healthcare sector is also responding to the news of the new rules since they represent the most popular target for cybercriminals. Some healthcare officials think the new rules will add cost and represent an extra step beyond HIPAA and state reporting that they are already required to follow after an incident. The rules could also trigger patient lawsuits if the SEC filings reveal poor data management in the detection and oversight.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
