Infosec experts divided on SEC four-day reporting rule

Transparency woes

Tenable CEO Amit Yoran said a potential benefit from the SEC reporting rule was greater transparency, which is an ongoing concern. Last year, the Committee on Homeland Security and Governmental Affairs published a report titled "Use of Cryptocurrency in Ransomware Attacks, Available Data and National Security Concerns" that described ransomware reporting as "fragmented and incomplete." The problem remains ongoing, as many companies only report breaches after being added to a ransomware group's public data leak site, used to pressure victim organizations into paying.

"When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Yoran said in an email to TechTarget Editorial. "This is a dramatic step toward greater transparency and accountability and will greatly improve our cybersecurity preparedness as a nation."

In addition to the four-day reporting rule, the SEC will require companies to "describe their processes for assessing, identifying and managing material risks from cybersecurity threats" on an annual report on Form 10-K. Companies will also have to disclose the board of directors' oversights of risks from cybersecurity threats and management's role in the ability to assess and manage material risks. Yoran emphasized the positive effect those rules could have on cyber hygiene.

The SEC has made it abundantly clear, he said, that corporate leaders must elevate cybersecurity within their organizations. The rules may regulate cyber hygiene implementations and provide a more complete picture of a company's security posture.

"Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will keep customers and investors better informed as to who they trust with their business," Yoran said.

On the other hand, Wisniewski is concerned the board oversight requirements don't go far enough. The ISC2 would like to see a more formal framework and oversight, she said. Currently, the rules put more pressure on the technical professionals, and cybersecurity teams are already understaffed as is.

Will it give an advantage to the attacker?

While being upfront after a cyber attack can be beneficial, the infosec community has long debated how much transparency might be too much. The new SEC rules fuel the ongoing debate, which Wisniewski said further highlights a lack of consensus within the cybersecurity community.

One potential downside to the hard-and-fast reporting rule, Budd noted, is that information about incidents may trickle out over time rather than come as a single, definitive and authoritative statement. "This is because incidents and investigations take time and so organizations may not have the full story yet after four days and need to provide ongoing updates after the initial disclosure," Budd said.

Yoran said the SEC has attempted to address the short turn-around concerns by narrowing the amount of information that must be disclosed. The rule requires disclosure of the impact of the incident rather than details about the incident itself, he said, which may minimize risk around sharing too much information that may benefit the attacker.

"Ultimately, the SEC weighed in favor of investors deserving timely, standardized disclosures of cybersecurity incidents that materially affect registrant's business," Yoran said.

However, the most important aspect of the transparency debate is whether shared information will give the advantage to the attackers rather than the organizations.

When the cybersecurity rules were first proposed by the SEC last year, Harley Geiger, counsel for Venable LLP and former senior director of public policy for Rapid7, detailed potential problems in a blog post. His main concern revolved around the consequences of companies disclosing a cyber incident before it has been contained or mitigated. However, he also said Rapid7 generally supported the proposed rule, but a balance of the risks and benefits of transparency was necessary.

Geiger offered scenarios that would benefit the attacker while hurting the victim. For example, he emphasized how attackers will maintain persistence inside a victim organization sometimes for years. Discovered attackers could cover their forensic trail or accelerate data theft or extortion activities. Additionally, it could alert attackers to a vulnerability that's present in other companies, he warned.

"The public disclosure of material cybersecurity incidents prior to containment or mitigation may cause greater harm to investors than a delay in public disclosure," Geiger wrote in the blog post. "We recommend that the SEC provide an exemption to the proposed reporting requirements, enabling a company to delay public disclosure of an uncontained or unmitigated incident if certain conditions are met."

Last August, Rapid7 issued comments to the SEC about the proposed rules. While the cybersecurity vendor said it supported many aspects of the proposal, it also voiced concern that premature disclosure could put investors at risk. In an email to TechTarget Editorial, Rapid7 said the RFI filing from August 2022 still reflects the company's current stance.

The filing also echoed Geiger's recommendation for exemptions to the reporting rule. The SEC addressed that concern in the new rules, which state a disclosure may be delayed if the U.S. Attorney General determines it would "pose a substantial risk to national security or public safety."

While infosec experts agree it's going to take time and practical experience to see how effective the allowances will be, the vagueness may again cause concern. Budd highlighted how there are general but not specific guidelines on how petitions for these allowances will be considered. On the other hand, Yoran said the allowance delay rule aligns with other public reporting and disclosure timelines of a material nature.

Still, Yoran acknowledged an industry-wide concern that a four-day reporting rule may put a victim organization at a disadvantage if it's not had enough time to gather all the facts. He highlighted one cyber incident -- the SolarWinds supply chain attacks -- where he did not believe it impeded the victim organization.

"Consider that Mandiant didn't have all the facts when they sounded the alarm about the SolarWinds breach, but they disclosed what they could. And it ended up creating transparency for the entire industry and likely helped lots of customers avoid disaster," Yoran said.

Another potential problem Wisniewski addressed is how far the reporting rule may extend. For example, will companies be required to report to cyber insurance carriers as well? Depending on its risk register, some boards will require reporting to insurance carriers promptly. Additionally, she said that some cyber insurance policies require the insured to report directly to the carrier when the incident reaches a certain risk level.

In the end, Wisniewski said the SEC reporting rules give regulators in general an opportunity to engage organizations in the field and explain what their thinking is about the requirements and cybersecurity in general. "I think it's much more effective if there is almost a partnership mindset as opposed to a policing mindset," she said.