New rules requiring publicly-listed firms to disclose serious cybersecurity incidents within four days have been adopted by the US Securities and Exchange Commission (SEC).
The tough new rules, although undoubtedly well-intentioned, are likely to leave some firms angry that they are being "micromanaged" and - it is argued - could even assist attackers.
From December 2023, listed firms are required to report details about "material" cyberattacks describing "the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant."
What does "material impact" mean? According to the SEC that includes "harm to a company’s reputation, customer or vendor relationships, or competitiveness" as well as the risk of litigation or regulatory action.
I don't know about you, but that sounds like a pretty broad definition.
What we do know is that in the early days of a cyber attack it is often difficult for a targeted company to determine the type and the scope of the data which might have been breached by malicious hackers.
By its very nature, the theft of data is not like the theft of a physical object.
If you break into The Louvre and steal the Mona Lisa, it's pretty obvious what has been taken - there's a gap on the wall where the Mona Lisa used to be displayed.
Data, however, can be exfiltrated out of an organisation by being copied to another location - the original version is still present. In short, there is no gap on the wall.
On many occasions it has taken much longer than four days for organisations to confidently state what data might have been accessed by the cyber criminals, and what hasn't.
And if an organisation cannot make that complex determination with accuracy, there is the potential that it may share incorrect or incomplete information with the authorities, as well as affected partners, employees, and customers.
Plenty of hacked firms have felt the pain in the past of announcing a data breach, only to have to then make a new announcement revealing that even more data was stolen than initially thought - doing further damage to their brand and business relationships.
Furthermore, a company that publicly declares a data breach to be much worse than it was in reality, will often find it hard to undo the damage done by the original announcement.
In addition, a company rushing to meet a deadline may feel compelled to announce that it fell victim to a previously undisclosed zero-day vulnerability, before it has had an opportunity to report the flaw responsibly to a vendor, and before a patch has been made publicly available. A public disclosure of flaws could, potentially, lead to other cybercriminals attempting to exploit the same vulnerability in other attacks, against other businesses.
So, I do have some sympathy for organisations that fear that regulators may rush them into making an announcement of a cyberattack before they have collected all the necessary information.
On the other hand, it is clear that some companies in the past have deliberately withheld information about a cyberattack, underplayed its true severity, or only released details of a breach at a time that is likely to do the least damage to their reputation (perhaps on a Friday afternoon, or just before the Thanksgiving holiday).
Ultimately companies are on the defensive, against both cyberattacks and losing customers.
Disclosing breaches in a "more consistent, comparable, and decision-useful way" (the words of SEC chair Gary Gensler) does sound helpful, and should enhance transparency.
Although undoubtedly this could bring some benefits to the general public, and will be broadly welcomed, it will also create headaches for firms in the immediate aftermath of an attack - when they may feel they are putting their resources to better use putting out the fire in front of them.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.