“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
When the rule was first proposed, several security experts voiced concerns about the four-day incident disclosure timeline. Within the new four-day timeline, organizations must file a Form 8-K describing the “material aspects” of the disclosed incident’s nature, scope and timing, as well as its material impact.
While advocates for the cyber rule hope that this timeframe will help shareholders make more informed decisions about their investments, critics say that the timeline is too fast for companies already grappling with the impacts of a cyberattack.
Harley Geiger, Counsel for the Center for Cybersecurity Policy and Law, said the four day disclosure will “change the playbook on cyber incident management for publicly traded companies.” Previously, said Geiger, the best practice for organizations has been to initially disclose security incidents only to those who are involved with incident response, containment and remediation efforts.
“We believe this creates a risk to companies, investors and consumers, when the incident is disclosed prior to being contained or mitigated,” said Geiger. “If [it’s not disclosed prior to being contained or mitigated], this means the vulnerability allowing the attack to occur in the first place may still be exploited by other malicious actors, and the original attackers still in the system… can cause damage once they realize their cover has been blown.”
The government and security experts alike have long touted the benefits of incident response reporting, and many other reporting requirements, like the Cyber Incident Reporting for Critical Infrastructure Act, (CIRCIA) also exist. However, Geiger said that other requirements mandate more confidential alerts; under CIRCIA, critical infrastructure entities must report incidents to CISA, for instance.