The Securities and Exchange Commission (SEC) recently issued new rules for publicly traded companies requiring them to disclose cyberattacks within four business days if the incidents are “material.”
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chairman Gary Gensler. The new rules take effect in December, or 30 days after publication in the U.S. Federal Register.
Within the EU, U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours. But these legal frameworks relate to personal data—the new SEC ruleset is wider as it’s looking at “company viability.”
Companies must submit Form 8-K, in which the following information is requested:
- The date of detection of the incident, and if it is ongoing
- A description of the nature of the incident, and its extent/scope
- Any data that may have been stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the company’s operations
- Information on ongoing or completed containment efforts by the company
Smaller companies are granted an additional 180 days before they need to file their 8-K. Plus, companies defined in the Critical Infrastructure sector already have a reporting requirement of 3 days (and report any ransomware payments within 24 hours) under the Critical Infrastructure Act of 2022.
Dark data problem
Companies can answer the first two and last two points in short order. If the cyberattack compromised a specific business area or system, those responsible know the value of the affected business and the potential damage.
But, most companies will have difficulty properly assessing the value of any data that may have been stolen, altered, accessed, or used for any other unauthorized purpose. Why? Blame the rising volume of fragmented, hidden data—also known as dark data. This data is often stored without being classified, indexed, or tracked.
Companies need to sift through this data to understand its value to the business. They must locate, identify, categorize, and classify the data, and have the ability to report on that content at speed. Only then will they be able to better assess the extent and impact of a successful attack for themselves, and for the regulatory SEC report they will now be required to provide for every material cyberattack their firm suffers.
Modern data security and management solutions, such as Cohesity DataHawk, can classify the data correctly, match to companies’ relevant record strategies, and can also provide threat analysis. DataHawk can identify vulnerabilities that could be exploited by the attackers, hunt for Indicators of Compromise (IOCs) across the ecosystem, and provide point-in-time snapshots for forensics.
For companies, this is valuable information on which data was accessed and which data was possibly compromised. These insights can help companies to understand the damage more precisely, to contain it, and, above all, to eliminate it more quickly. These efficient measures can be listed in the last point of the SEC report, and provide the missing information that the SEC is looking for—without which many companies would be left in the dark.
Prepare for the new SEC requirements
Company security teams should be prepared to gather the SEC report information as they investigate the incident. This will require coordination between Operations, Security, and IT groups and may require a dedicated asset during the incident to ensure compliance with SEC mandates. This process has not yet been set up in most security operations centers, and the SEC announcement should accelerate that.
The tight four business day deadline should also be factored into the company’s disaster and recovery plans and cleanroom recovery process. If the attack disables large parts of IT, the tools used to gather information for the SEC report, and to file the report itself, may need to be prioritized higher in recovery. Otherwise, the deadline will pass while companies try desperately to find the right data and restore the necessary tools.
In such moments of crisis, the prospects of complying with the SEC requirements fade because crucial information is missing. The SEC imposed fines of $6.4 billion in 2022 alone, and their rules have teeth. We must also recognize the broader effects of the attack on the sector—the SEC requirements exist not to make money but to ensure rapid awareness of impactful cyber incidents, and can provide critical threat information to the greater community to help mitigate or avoid further attacks.
Turning data classification into a competitive advantage
If you know your data well thanks to classification, you can take advantage of that visibility across your business. Stricter cyber resiliency rules can be defined for important data, and ensure that that the data is backed up at requisite intervals and secured in other locations such as a virtual cyber vault. Companies can also take security copies of data to be used by their security teams for investigations.
If data is then modified in a cyberattack, security teams can search dozens of historical security copies for evidence of an attack or alteration. This can help identify the gap plus the method and vulnerabilities exploited by the attackers. Even these advanced mechanisms for recovery and containment can be listed by companies in the SEC report and show investors that they are in control.