Leading IT security group recommends SEC reconsider proposed incident reporting rules

U.S. Securities and Exchange Commission Chairman Gary Gensler takes a seat before the start of a Senate Banking, Housing, and Urban Affairs Committee hearing on September 14, 2021 in Washington. (Photo by Bill Clark/Pool via Getty Images)

Since the Securities and Exchange Commission publicly significant changes proposed to its cybersecurity reporting rules two months ago, legal, financial and IT security experts offered their two cents on the usefulness (and practice) of these changes.

The most recent, and perhaps pointed, comments came earlier this week from the Internet Security Alliance (ISA), which filed its comments with the federal financial regulator on Monday.

The SEC’s initially published proposal would significantly reduce the turnaround time for reporting cybersecurity incidents and policy changes. At the heart of these proposed changes, the SEC’s proposal would require institutions to report on their cyber policies, procedures, and methods within four days if they experience a cyber incident deemed “material,” among other things.

In their comments this week, ISA officials urged the commission to re-evaluate its recent proposal, as the ISA asserted that these changes would not only present challenges for companies that would be affected, but that the new requirements could in did create new financial concerns for businesses that had previously suffered online attacks.

“It is not so much the concept of cybersecurity disclosure that is problematic as the types and methods of disclosure that the ISA urges reconsideration,” ISA Chairman Larry Clinton said in a letter. regarding the proposed changes to the SEC.

Instead, the Multi-Industry Internet Group suggested the SEC should take a more “risk management” approach. [based] approach to developing disclosure rules, which would weigh the benefits of disclosure against the risks based on empirical evidence. The ISA suggested that since cybersecurity is only one area of ​​regulatory oversight for the broad-based, finance-focused commission, the SEC might be “underestimating” how difficult it might be to determine at how “material” various cyber incidents can be.

Additionally, ISA officials claimed that requiring breach details to be reported within 96 hours could, in some cases, help attackers more than the companies and investors these policies seek to support. as well as creating the potential for stock manipulation or other financial fallout, which the SEC said it hopes these new proposals will correct.

The SEC’s proposed rules could, in fact, put information into the hands of bad actors, who could use it as a way to short sell stocks or effect short-term price declines, according to comments from ‘ISA, which would effectively oppose the SEC. Goals.

For example, ISA pointed out that while the damage (or “materiality”) of a ransomware attack could be quickly detected, the long-term effects and analysis could take much longer than four days. Rushing to offer information, according to the ISA, could “create false information for the market”.

“Disclosure of the rules will be informative or not,” Clinton said in her letter. “Since attackers are more sophisticated than the investment community, any disclosure detailed enough to help an investor will almost by definition be more helpful to the attacker.”


Comments are closed.