Blog details

The Securities and Exchange Commission has officially reached the implementation dates for its historic cyber incident reporting requirements.

The rules, which require companies to report material cyber incidents within four business days of determination, are leading to significant changes in how companies prepare for and implement cyber risk strategies at the highest levels of publicly traded companies that operate in the U.S. 

Firms have been actively reviewing their incident response programs to determine whether they are getting the right information to make an informed decision on materiality, said Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC. “So they’re looking at that definition of materiality, which is reasonably vague by the SEC, and they’re saying, how do we apply that to our organization?”

One of the key goals of the SEC is to make sure companies are better prepared to mitigate material breaches, ransomware or nation-state espionage attacks.  

Despite a number of regulatory enhancements at the federal and state levels after attacks against SolarWinds and Colonial Pipeline, the U.S. has experienced a resurgence in ransomware and other malicious activity, fueled in part by nation-state activity linked to Russia, China and more recently Iran. 

“The continued geopolitical tension around the world provides a perfect storm for bad actors and nation state attacks and the government is using all its regulatory policy might to enforce cyber compliance,” said Lisa Donnan, a partner at Option3, a private equity fund that specializes in cybersecurity.   

Investigations related to some of the nation’s biggest attacks and breaches in recent years show a pattern where corporate executives were unaware or missed glaring security risks that could have prevented some of these attacks from taking place. 

Morgan Stanley was ordered to pay $35 million to settle SEC allegations it failed to protect the personally identifiable information of 15 million people. 

The Department of Transportation found that Colonial Pipeline committed multiple control room violations after an investigation linked to the 2021 ransomware attack, and recommended up to $1 million in civil penalties. 

In other investigations, top executives deliberately misled investors about software vulnerabilities, mitigation strategies or other measures that could have been taken to prevent an attack.  

In the SEC civil suit against SolarWinds and CISO Tim Brown, the agency alleges that internal presentations and emails were circulated during the two years between the IPO and the December 2020 Sunburst attack that discussed weaknesses in its Orion software platform and concerns about remote access security. 

Meanwhile, the company was making public statements to investors touting the security of its platform and hid those internal discussions from the public. 

How to respond

Companies are reassessing their existing incident response plans, including synchronizing those plans to work alongside the new disclosure requirements, according to Jerome Tomas, chair of Baker McKenzie’s SEC and Financial Institution Enforcement Group.

That work includes conducting tabletop exercises with legal and information security teams, Tomas said. 

“Public companies are very familiar with the factors that go into a materiality determination,” Tomas said. “That said, companies are sharpening their focus on determining how, for example, previous quantitative materiality metrics can be applied and used for cyber incidents.”

The information used to determine a material impact during a data security incident is often fluid at the beginning. These can range from a few different elements, including:

  • The amount of impacted data
  • The number of impacted customers
  • Business disruption costs
  • Ransom payments
  • The type of PII at issue

As part of developing a more robust incident response plan, companies should develop a relationship with their local FBI office, according to Chris Stangl, a managing director at the cybersecurity and investigations practice at Berkeley Research Group and a former FBI agent. 

“In times of crisis, it’s never a good idea for first contact to be made while in the deep throws of a response,” Stangl said via email. 

The FBI can provide expert advice to companies after an incident and help determine at a fairly early stage whether an incident is substantial, he said. 

The FBI earlier this month disclosed the process for a company to request a SEC reporting delay, which is usually based on national security grounds and must be run through the senior levels at the Department of Justice. 

Digital Creations is an IT company providing solutions for businesses to accomplish their goals currently and in the future.

Contact Info

Follow Us

Cart(0 items)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare