Four Day SEC Reporting Rule
In March of 2022, the Security and Exchange Commission’s (SEC) proposed a rule mandating registered companies to report material cybersecurity breaches within 4 days. In this article we will discuss some specifics of the proposed rule; what constitutes a breach, and what you can do to prepare for its requirements, which are expected to be finalized in April 2023.
What’s In the Rule?
The proposed rule, formally titled, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” contains a great deal of information which we will discuss in broader terms to give you the most impactful points. It is important to note that the proposed rule dictates that the 4-day countdown starts from the time that a breach is ruled to be material, rather than from the moment the breach is detected. This gives an organization some flexibility in gathering the relevant facts and filing the necessary paperwork with the SEC.
To begin, lets answer the question of, “What is considered a breach?” The SEC has defined a cybersecurity incident as:
“An unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” This includes “…an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches.”
The important takeaway from that second part is the inclusion of accidental exposure of information. If the information exposed is of material significance, then it is required to be reported to the SEC as a breach. The organization must also track smaller cybersecurity incidents which on their own are considered immaterial, but in aggregate may be considered a material breach.
For example, imagine your organization is targeted with several phishing attempts which, over time, transform to contain more specific information which typically would only be known by members within the organization. This could be an indication that the potential attacker is gaining information either from phishing attempts or other means and using it to refine their attack. This may be a case where management determines that the attacks are quantitatively or qualitatively material or both.
Preparing For a Breach
Let’s look at what should happen behind the scenes to help the company survive when a breach happens. Looking at the above measures that need to be taken once a breach is detected, it is expected that certain mechanisms are already in place to address the attack.
- Policy, procedure, and qualified personnel in place to determine materiality.
- A qualified employee, or team dedicated to compliance measures.
- A cohesive plan that creates communication channels between management, IT leadership, company counsel, and board members.
It is vital to understand that the SEC expects breaches to happen, it is what happens after the breach that often gets overlooked when discussing enterprise security. If you would like more information regarding security incidents or help setting up your company’s incident response plan, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact us with any questions.