SEC data breach rules branded “worryingly vague” by industry body
The new rules announced last week leave many questions unanswered, according to security industry experts
New data breach reporting rules introduced by the Securities and Exchange Commission (SEC) last week have been described as “worryingly vague” and may create a harmful operating environment for security professionals, according to (ISC)2.
Tara Wisniewski, EVP for advocacy, global markets, and member engagement at the security non-profit, challenged the new scheme, warning that many aspects of the new framework are open to interpretation.
While Wisniewski broadly welcomed the changes, she suggested that the announcement could create confusion for professionals in the industry.
“While we support the fundamental principles of public disclosure to inform and protect shareholders, customers, and other constituents, the SEC ruling is worryingly vague. It poses more questions than answers, and may create ambiguity for cyber professionals.”
Under the new rules, public companies will be held to a higher standard of reporting, with firms required to disclose security incidents within four days.
The ‘Form 8-K’ requirement means companies will have to report any security incident they deem ‘material’ within this timeframe and provide information on the timing of the attack, its scope, and the potential impact on the business and customers.
However, the terminology used by the SEC is a point of serious contention for (ISC)2 and could be left “open to interpretation”.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
This, the organization said, could lead to over-reporting of security incidents, placing greater pressure on overworked staff. Similarly, (ISC)2 warned the framework could prompt a trend of under-reporting, which in the long term might leave cyber security practitioners personally liable for incidents.
As such, the organization called for a clearer definition of what constitutes an incident under the new guidelines.
“There are no concrete definitions for which cyber incidents must be disclosed, or what the SEC means by ‘material impact’. There are millions of attempts on businesses daily, some unsuccessful, others partially so,” said Wisniewski.
“Without clearer definitions, the rules are open to interpretation which could either lead to over-reporting, distracting cyber professionals from their main task of network protection, or under-reporting, which could expose cyber professionals to personal liability.”
Overburdened security professionals
Another point of contention raised by (ISC)2 centers around new board oversight requirements outlined in the SEC’s recent changes. Under the new rules, businesses will be required to disclose annual reports on their security risks, cyber strategy, and governance practices.
Annual 10-K reports will be required to outline specific measures taken by organizations to identify and mitigate security threats, as well as insights on executive oversight of company security practices.
Wisniewski said that these new rules “do not go far enough”, adding that the guidelines are ambiguous and could lead to increased pressure on practitioners as executives rely on staff for advice and guidance.
Automation antidotes for the top poisons in cyber security management
Address top cyber security challenges that happens because of new technologies, increasing regulations, and supply chain vulnerabilities.
As a result, the non-profit has called for the establishment of a “more formal framework for board oversight responsibilities”.
“The ambiguity only creates more burden for overworked and under-staffed cyber security professionals, as boards and corporate leaders will increasingly rely on them for interpretation of the guidance,” she said.
“So while we support collaborative efforts to protect consumers, the importance of cyber threats and the complexity of management requires very clear guidelines with detailed definitions so cyber professionals do not inadvertently fall afoul of well-intentioned regulation,” Wisniewski added.
“Cyber professionals are looking for clarity, and this ruling falls short in that regard.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.