‘Four days is not enough’ as new cyber rules cause impact

October 12, 2023

undefined mins

Organisations are expected to assume that a cyberattack is imminent and that they will experience real data breaches

Companies like Threatlocker are questioning the decision by the SEC that states businesses must disclose any cyberattack within four days, prompting debate

In a new ruling by The Securities and Exchange Commission (SEC), businesses are now required to disclose cyber breaches as public information within 96 hours.

First announced in July 2023, businesses are now pushing back against the regulation with the belief that it could cause more harm than good. Cyber experts like Threatlocker in particular have called for greater leniency, suggesting that it will put greater pressure on companies to disclose cyberattacks.

Organisations are expected to assume that a cyberattack is imminent and that they will experience real data breaches. Regulations of this nature also call for businesses to ensure that their cyber defence strategies are robust and can quickly stop or remediate a breach.

It is understandable that regulators will want to see more transparency in the midst of rising global cyberattacks. In the wake of this decision, however, it waits to be seen if other countries will follow suit and implement harsher measures on companies to disclose any type of breach.

Weighing up the risks to business

The new SEC regulations require firms to file an ‘Item 1.05 of Form 8-K’ about cybersecurity incidents which describe the nature, scope, timing and (likely) impact of the breach.

These forms will generally be due within four business days - with the exception being if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

New SEC rules only apply to public companies in the USA. Currently, under Article 34 of the General Data Protection Regulation, any UK breaches that lead to accidental or unlawful destruction, loss, access, alteration or disclosure of personal data must be reported to the Information Commissioner’s Office (ICO) - a privacy and data watchdog - within 72 hours, but are not publicly disclosed.

The ICO says that only breaches that are “sufficiently serious to warrant notification to the public”, must be reported as such “without undue delay”. Breaches that “do not pose a risk to people's rights and freedom” do not have to be flagged. Non-personal data, which does not contain any information that can be used to identify a person, does not need to be disclosed.

Questions of inequality: Will smaller businesses struggle to keep up?

It is clear that all businesses will need to implement appropriate training programmes and greater investments into cyber resilience. However, small businesses may be impacted to a larger degree, given the scale and cost of these types of breaches and threat prevention.

ThreatLocker’s Chief Technology Officer Michael Jenkins says the quick turnaround time that the SEC has imposed has frustrated businesses and may create other problems.

“The companies that are pushing back are concerned about the four days,” he says.

“The rules say a publicly traded company must file a Form 8-K disclosure within four days of learning about a cybersecurity incident such as a breach. That’s too soon.

“If you’re publicising a vulnerability within four days of it happening, you’re putting other businesses at risk.

“Just look what happened with WannaCry - the fastest-spreading cybercrime attack in history. It spread like wildfire because it was announced in the public domain.

He continues: “Wannacry’s impact wasn’t because of a hacker - it got worse because a vulnerability was published and 1,000 businesses were then attacked with US$4bn in damages worldwide. It could have been contained.

“Once you announce a vulnerability, it doesn’t matter if you fixed it, there’s still other people that haven’t. That’s why this new regulation is worrying people.”

ThreatLocker Co-Founder and CEO Danny Jenkins agrees, saying: “The problem with the new SEC ruling is that the wording is too broad. 96 hours is not enough time to understand the damage of a cyber attack.

“The bigger question I think is not whether companies should be making hacks public, but whether or not they are meeting the government-backed criteria - like the CISA Best Practices in the USA or the Cyber Essentials scheme in the UK.”

******

For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.

******

BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.

Cyber digital transformation data breach Threatlocker cyberattack