Staying Ahead of the Game: CISO Preparedness for the New SEC Cyberattack Guidelines

The Latest Securities and Exchange Commission regulations mandate that publicly traded firms must report cyberattacks within four business days.

The Securities and Exchange Commission (SEC) recently released updated regulations stipulating that publicly traded companies must report cyberattacks within four business days if they are deemed “material” incidents.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chairman Gary Gensler. The new rules take effect 30 days after publication in the U.S. Federal Register.

In the EU, U.K., Canada, South Africa, and Australia, companies need to report a cyber incident within 72 hours. In China and Singapore, the timeframe is 24 hours, and in India, it’s within six hours. However, these regulations primarily pertain to personal data. The new SEC ruleset has a broader scope, focusing on the overall “company viability.”

Companies need to provide the following details when submitting Form 8-K:

1. Date of incident detection, indicating if it’s still ongoing.
2. Description of the incident’s nature and its extent/scope.
3. Any compromised data, whether stolen, altered, accessed, or used without authorization.
4. Impact of the incident on the company’s operations.
5. Information regarding the ongoing or completed containment efforts by the company.

Smaller firms have an extended timeframe of 180 days to submit their 8-K filings. Additionally, entities categorized in the Critical Infrastructure sector must report incidents within three days and any ransomware payments within 24 hours, per the Critical Infrastructure Act of 2022.

Dark Data Problem

Companies can quickly address the first and last two points regarding a cyberattack’s impact on their business. If a cyberattack targets a specific business area or system, those handling the incident can estimate the affected business’s value and potential damage. However, evaluating the importance of data compromised during an attack poses a challenge for most companies. The primary hurdle is the increasing amount of unorganized and hidden data, often called dark data, which is stored without proper classification, indexing, or tracking.

Companies must go through this data to grasp their business value. They need to find, recognize, sort, and label the data, being able to report on it swiftly. This process will help them accurately gauge the scale and consequences of a successful attack, both for internal assessment and the mandated SEC report for every significant cyberattack their company experiences.

Modern solutions like Cohesity DataHawk in data security and management can accurately classify data, align with a company’s record strategies, and offer threat analysis. DataHawk identifies potential vulnerabilities for exploitation by attackers, hunts for Indicators of Compromise (IOCs) throughout the system, and provides momentary snapshots for forensic analysis.

For companies, this provides crucial details on accessed and potentially compromised data. These insights aid in understanding and containing the damage swiftly and effectively. These actions can be summarized in the final section of the SEC report, filling in the critical information sought by the SEC and preventing companies from being uninformed.

Prepare for the New SEC Requirements

Security teams within companies need to efficiently collect the required SEC report data while investigating an incident. This entails coordinated efforts between Operations, Security, and IT teams, potentially necessitating a dedicated asset to ensure SEC compliance during the incident. Currently, this process is lacking in many security operations centers, and the recent SEC announcement should drive its implementation.

Consider the stringent four-day business deadline in the company’s disaster recovery and cleanroom recovery plans. In case of a significant IT disruption from the attack, the tools for SEC report data collection and filing might need top priority in the recovery process. Failing to prioritize these tools could lead to missing the deadline as companies struggle to locate vital data and restore essential reporting tools.

In crisis situations, meeting SEC requirements becomes challenging due to missing vital information. The SEC imposed substantial fines, amounting to $6.4 billion in 2022 alone, highlighting the stringency of their regulations. It’s essential to understand the broader impact of an attack on the sector—the SEC rules are not merely for financial penalties but to swiftly inform about significant cyber incidents. They also offer crucial threat data to the larger community to mitigate or prevent subsequent attacks.

Turning Data Classification into a Competitive Advantage

Understanding your data through proper classification allows for effective use of this knowledge throughout your business. Essential data can be subject to more stringent cyber resiliency rules, ensuring it’s backed up at needed intervals and stored securely, for example, in a virtual cyber vault. Additionally, companies can create security copies of data for their security teams to use in investigations.

In case of data modification during a cyberattack, security teams can review numerous historical security copies to detect signs of tampering or compromise. This assists in pinpointing the breach, the method used, and the vulnerabilities exploited by the attackers. Companies can showcase these advanced recovery and containment methods in the SEC report, demonstrating their control to investors.