Companies 'ill-prepared' to meet newly adopted SEC cybersecurity rules

The U.S. Securities and Exchange Commission on Wednesday finally adopted stringent new cybersecurity disclosure rules for public companies, 16 months after the agency proposed them.

That lag gave companies an abundance of lead time to prepare for the requirement that has the cybersecurity community most worried: a mandate that companies publicly disclose a breach within four days after determining that it was material.

But experts say companies are a long way from being ready.

“This ruling is a great step towards achieving accountability, to protect the consumers and the investor community,” said George Gerchow, chief security officer of the data-security company Sumo Logic and a faculty member at the Institute for Applied Network Security. “The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact in four days.”

To be able to meet the disclosure mandate, CEOs and boards will need to be more proactive, gaining a much stronger grasp of cybersecurity risks and establishing the same oversight and governance they do for other major risks to their organization, said Scott Kannry, CEO of Axio, a cyber-risk engineering firm.

Company security leaders also must quickly model the potential impact of new and evolving cyberthreats so that they can more effectively determine whether mitigating actions are appropriate, he said.

“All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground,” Kannry said.

The new rules also mandate that companies annually disclose their cybersecurity risk-assessment strategy, disclose the cybersecurity expertise of management, and provide updates on previously disclosed cybersecurity events.

The rules are aimed at benefiting investors but also will help sharpen management at the companies themselves, SEC Chair Gary Gensler said Wednesday.

“Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors,” Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Companies will need to be ready to meet the new requirements almost immediately. They’ll have to disclose material breaches within four days starting in mid-December, and firms with the traditional Dec. 31 fiscal year will need to explain their cyber risk-assessment strategy and detail the cyber expertise of management and directors in filings they submit to the SEC early next year.

The SEC hasn’t yet disclosed what the penalties will be for noncompliance.

The new rules passed on a 3-2 vote, with Democrats voting for and Republicans against. Hester Peirce, a Trump appointee, said the SEC is overstepping its authority and displaying a tendency to  “micromanage” company operations.

Related: Remote work: Make cybersecurity a top priority, say data security pros

She also said providing so much transparency around cybersecurity practices plays into the hands of cybercriminals, handing them a road map on which to target companies and how to attack them.

Correction: An earlier version of this story incorrectly stated that companies would have to disclose the cybersecurity expertise of directors. The SEC’s original proposal would have required that, but that language was dropped from the final version.