Expert Comment: New SEC rule requiring disclosure of cyber-incident within 4 days
Reaching out as you may have seen in the news that the U.S. Security and Exchange Commission (SEC) have released new rules that require publicly traded companies in the US to report a “material” cyber-incident within 4 days.
Joseph Carson from Delinea has commented on this new ruling and whether it is realistic when organisations main priority and focus during an attack is retaining control not determining any “material” impact.
The latest U.S. Security and Exchange Commission (SEC) ruling will cause shock waves for publicly traded companies and their legal teams trying to assess how they can quantify and measure a “material” impact to their finances within 4 days of a cyberattack.
Typically, within 4 days, organisations would be in the midst of trying to retain control over their systems from unauthorised access, rather than having to also try and determine any “material” impact to their finances.
Most cyber-attacks have a cost but the big question in incident response will now be how to evaluate “material” impact of an incident in such a small timeframe.
The real impact of the SEC ruling is now the need for Incident Response teams to have a significant investment to ensure they can meet this new cyber-attack disclosure requirement.
A major issue is that not all cyber-attacks are equal, and the question and focus on “material” can result in many different assumptions such as data theft and how to quantify the “material” impact.