New SEC’s Hack-Reporting Rules Are Spooking U.S. Companies
With Halloween around the corner, here’s something really spooky: The SEC announced new hack-reporting rules for publicly traded companies in late July that are scaring corporate leaders.
These rules are designed to shed light on the extent of cybersecurity threats; unfortunately, they’ve been stirring controversy based on a plethora of unintended consequences.
If you’re a CEO, CISO, or IT Director, your life has just been made more complicated by the fact that the government now wants you to report every hack, foiled or successful, that has “materially” affected your company within 96 hours of said event.
This means your IT cybersecurity team—server maintenance experts by inclination and training, and already on the verge of mutiny because of overwork—now has a new assignment: generate new reports on every cyberattack facing the company, or even on the absence of such attacks, within a given reporting period.
On the one hand it makes sense that the government takes an interest in protecting the public and investors. On the other hand, cybersecurity is one area where full transparency may be counterproductive. Informing the public of a hack has the unwanted side-effect of letting the criminals know, perhaps prematurely, that their attempt failed or has been detected.
Here are five big reasons why these new regulations may only make your life harder:
(1) SHOWING YOUR POKER HAND
Too much detail in these reports may provide a road map for attacking other vulnerable industries and companies. If the bad guys know their work is being monitored, they can utilize this information to modify their tactics.
(2) OPENING YOURSELF UP TO INVESTOR & CLIENT LITIGATION
Too much information, particularly when such information is poorly understood and poorly presented, could unleash a Pandora’s Box of investor and client lawsuits filed over unsuccessful attacks, attacks that went unreported past the deadline, and suspected attacks for which there is little or no evidence.
(3) INFORMATION OVERKILL
A large healthcare, energy or financial organization lives under constant threat from cyberattacks. While reporting every such attack might seem reasonable, cybersecurity experts know that 100% protection is a lost cause. It would be easier to identify each mosquito implicated in a malaria infection or each drop of ocean water affected by radioactive discharges from the Fukushima nuclear power plant.
(4) EXTRANEOUS REPORTS MAY RELEASE SENSITIVE INFORMATION
Well-intentioned regulations often have the unpleasant side effect of burying companies under an avalanche of paperwork. Unfortunately, each piece of paper a company releases inherently carries risks. Why share with your competitors the ways in which your systems have been under assault when they will only use this information to discredit your business and steal market share from you? Filing such reports also has the potential to give away trade secrets; as data becomes public, certain business strategies may be revealed.
(5) FOREIGN TERRORISTS & CRIMINALS DON’T FIGHT FAIR
The biggest elephant in the room is that the most serious threats come from bad actors abroad: state-sponsored and state-sanctioned cybercriminals linked to Russia, China, Iran and North Korea. American home-grown terrorist hackers acting in coordination with nefarious overseas interests are another migraine. All combine to make the life of many a CISO a living hell because they don’t play by rules and regulations (like those of the SEC).
Deciding what to report and when is a fraught and consequential decision. Many IT professionals don’t have the business training or knowledge to know when an event is “material” and therefore reportable.
Don’t let the SEC’s latest open kimono policy catch you flat-footed! The best way to ensure you’re protected both against cyber threats and compliance failures is to work with Cyber Defense Advisors. We’re technically impeccable and business-savvy. We can help you save money by reducing and replacing redundant and outdated technology, freeing up your IT staff, generating compliance reports efficiently and cost-effectively, and helping you keep hackers and cybercriminals at bay.
Contact us today to see how our services can be tailored to fit your needs.