SEC Cybersecurity Disclosure Rules Take Effect
So, it begins! The SEC cybersecurity disclosure requirements take effect today for public companies, requiring them the report material cybersecurity events to the SEC and investors. I can simultaneously hear both a waterfall of tears and a resounding applause coming from the cybersecurity sectors as this has serious ramifications to how many companies chose to handle such notifications (if they did so at all in the past).
Henceforth, investors should consistently get the benefit of being informed in a timely manner for material incidents that now include cyber-attacks! They have this right, to understand issues with their investments, and material cyber events were often missing from the picture until now.
The genesis of this requirement was due to many organizations choosing to delay for unreasonably long periods or find excuses to not report such issues to the public. In fact, many such admissions only occurred after security researchers or attackers themselves when public first, thereby forcing the victim organization to communicate to its shareholders, partners, and customers. Sadly, many games were being played and the requirement to report material issues was played fast-and-loose, to the detriment of investors and consumers.
Not any longer. Now the decision is to either lawfully comply or potentially be prosecuted by the SEC and perhaps in related class action sized litigation. The masquerade party is over.
These requirements represent an additional benefit to cybersecurity. As companies come forth to report significant digital attacks, it will reveal the true nature, scale, and maturity of cybersecurity across the landscape of public companies. No more hiding, concealing, or minimizing cyber-attacks. We will get to see a clearer picture of the aggressive nature of attackers, the scale of malfeasance, and the incompetence of organizations to manage risk in a reasonable way.
It is time for transparency. Today represents a new dawn that will drive positive changes — including increased accountability, investment, and prioritization for protecting our digital world.