United States Securities and Exchange Commission(SEC) has issued new guidelines to companies on when to report a cyber attack. And security analysts say that the guidelines are lacking teeth, even after the commotion created by Equifax saga.
In general, it has been 7 full years since SEC has advised companies on how to disclose details related to cyber attacks and how to tell investors if they had suffered a cyberattack deemed to be material.
SEC in its latest update of cybersecurity guidelines disclosure has clearly warned public companies to make a timely disclosure on an attack which can alert companies interested in investing and the capital markets. At the same time, it also has asked the company’s board members and senior executives to pay close attention to their company’s image once an event of a disaster such as a cyber attack strikes their IT assets.
According to an audit report compiled by Audit Analytics, a firm that tracks securities law filings, only 24 companies reported breaches to the SEC in 2017. But SEC feels that the number could be more or even double than what is being realized.
Perhaps the dilemma of getting tarnished by the attack in the market and getting ignored by the investors in future might be forcing companies to do so.
Also, readers of Cybersecurity Insiders have to notify a fact over here that since 2011, only 106 companies have reported cyber attack incidents to SEC after it issued initial cyber guidelines in the said year.
But Audit Analytics reports that 4,732 cyber attacks took place on American firms from 2011 to 2017, but only 106 incidents were reported with the material in that time.
SEC has also made it clear that it will take stringent action against those companies which disclose tardy data breaches. The agency is already investigating Yahoo’s two data breaches in 2013 and 2014 which the company did not disclose until 2016 even though more than 3 billion user information was compromised.
Response on SEC on Equifax data breach is awaited as the investigation is still going on on some issues.
Hope, Corporate companies in America take the new SEC guidelines as a starting point and use it as a collective opportunity to foil sophisticated cyber attacks in future.