New SEC Cyber Incident Disclosure Rule – Helps Even Small Companies
You probably haven’t thought about this if you are privately owned. You might not even heard about it.
Effective September 5th, publicly traded companies have four business days to disclose a material breach. That disclosure, on a form 8-K, will be publicly available on the SEC’s EDGAR public company reporting site. The same place they put their quarterly and annual reports and other public forms.
They only have to report it if it is material – something that the lawyers will argue about for years.
Just recently, both Caesars and MGM did file 8-Ks on their breaches, but one didn’t quite get them filed in the required four business days. But close.
The complaint about the rule is that many companies have such crappy security practices that they don’t really know what is happening after just four days. That is legitimate, but the SEC is not requiring them to disclose everything and is not stopping them from filing reports to add more information later.
For breached companies, four days does not give their lawyers much time to figure out how to spin the breach news in a way that does not hurt stock price or the company’s reputation. They would prefer not to publicly disclose breaches at all. Now, likely, there will be multiple 8-Ks based on the new SEC rules.
If you look at the MGM and Caesars breaches, one filed a very detailed filing; the other a bare bones one. Likely this is indicative of the condition of their security programs. One understood what was going on quickly; the other not so much.
It is clear how this helps investors. It gives them a heads up that more news will be coming and that will help them decide whether to buy, hold or sell their securities.
But how does it help privately held companies?
Even small companies use publicly traded companies as vendors. Vendors often have the small company’s data.
Private companies now have a new tool to help monitor their vendors. Likely, the vendor management companies that small companies use will be monitoring the 8-Ks for their clients, warning them that a breach happened.
One you have found out that a vendor had a breach, you can activate your incident response program and figure out whether you have a problem.
Historically it has often taken months for a company to find out that a vendor had been breached; now it should happen a lot quicker. Credit: Health IT Security