- The SEC has ordered listed companies, including crypto firms, to comply with new cybersecurity requirements.
- Cybersecurity experts react to the new rules.
SEC Orders New Rule to Protect Investors
The Securities and Exchange Commission has ordered public companies, alongside crypto firms, to disclose every cybersecurity incident within four days of occurrence. Gary Gensler believes company investors would be interested in such cybersecurity details.
“Whether a company loses a factory in a fire—millions of files in a cybersecurity incident—it may be material to investors,” Gary Gensler said.
The order from SEC is not limited to disclosing cybersecurity incidents timely to the SEC, and it also includes publishing their annual reports on their cybersecurity risks, management, strategy, and governance.
The new rules demand full disclosure about the material cybersecurity incident, its impact, and its timing within four business days. In cases where such a disclosure threatens national security, the disclosure will be delayed by the U.S. Attorney General, who will notify the Commission in writing. In addition, the delay can not be more than 60 days except in extraordinary circumstances.
The Securities Exchange Commission comprehends the impact of incidents that may jeopardize a company’s operations and investors’ funds. The press release stated that the adopted rules are aimed at ensuring transparency and protecting investors.
Industry Players React to SEC’s New Adopted Rules on Cybersecurity
Following the announcement of the Securities and Exchange Commission’s adopted rules on cybersecurity, there have been mixed reactions from industry experts.
Some cybersecurity experts like Amit Yoran, Teneble’s CEO, support the rules because it makes cybersecurity a top priority in companies. However, other industry players believe the rules may allow cybercriminals to exploit companies’ cybersecurity strategies.
“The SEC has approved new cybersecurity rules, which is a significant step in the right direction. These breach disclosure rules will help give CISOs a seat at the table. Companies should start preparing and thinking about their policies, procedures, organizational structure, and toolsets immediately,” ColorTokens’ risk officer, Nakul Goenka, told SecurityWeek.
Amit Yoran stated that large companies do not consider cybersecurity a top concern but with SEC’s new rules, cybersecurity has now become a top priority for such companies.
“For a long time, the largest and most powerful U.S. companies have treated cybersecurity as a nice-to-have, not a must-have. Now, it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations,” said Amit Yoran.
But Hester Pierce, a dissenting Republican Commissioner, believes that the new rules will likely aid hackers by providing cybersecurity information which may lead to more cyber attacks. The Republican Commissioner also stated that the new rules may give the crypto watchdog the power to micromanage companies, including crypto firms.
“It is the right thing for organizations to disclose breaches, but at face value, forcing a rapid public disclosure is a bad idea. It will result in reactive market behavior, erosion of trust, and confusion, and in some cases, it may even give insight to the attacker on your visibility,” A security director said.
