The SEC is giving companies 4 days to report cyberattacks. More harm than good?

The US Securities and Exchange Commission (SEC) on July 26th announced they want “public companies to be more transparent and forthcoming about “material cybersecurity incidents.”

By a narrow 3-2 vote, the SEC commissioners decided that public companies must disclose details of incidents and their impact to their financial results on their 8-K within 96 hours of any cybersecurity event.

If it feels like we have been dealing with higher volumes and higher costs of breaches over the last few years, you are not wrong. Increases in cybersecurity breaches reported by public companies in the last decade, rose from 28 in 2011 to 188 in 2021, a 600% increase. We went from the occasional Nigerian Prince Email and the days of Lincoln National mistakenly printing a username and password in a brochure posted on a public website, accounting for nearly all of the records breached during 2010, to the current era where zero-day breaches happen every week

Costs associated with the breaches, borne by issuers and their investors, amount to trillions of dollars per year in the US alone. And the monetary cost isn’t everything. The SEC is right to point out that “Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation…they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses.”

The good news is that companies can no longer cherry-pick which incidents to report and withhold details. In addition to expeditious 8Ks, the new rules also require firms to annually disclose information on their cybersecurity risk management and executive expertise.

The bad news is that the new rules will require granular disclosures and create a cybersecurity checklist that the SEC is not qualified to write, and the slippery slope of temptation to micromanage will only grow over time. The other and more dangerous bad news is that criminals will use these disclosures as a roadmap for which companies they should target and the most effective ways to attack them. We know they read 8-K’s now. The new rules will provide lots of insider process (ransomware), scope (payout) and technique (SQL Injection) that will be useful for attackers planning future attacks.

And when we look back at 2010, and compare our modern world, it may be that we have not come so far after all. Because while the zero-day breaches are clever and new, the attack vector is old and proven. Bad guys still rely on phishing and social engineering as 95% of successful breaches still start with a human mistake.

And with the advent of G-AI, they are enormously more convincing than ever.