New US Securities and Exchange Commission (SEC) rules will force publicly-listed US companies to inform investors that they’ve suffered a data breach within four days – lifting the bar for breach disclosure and raising questions about whether Australia will follow suit.
Passed in late July after months of discussion, the new rules published by the SEC – the American equivalent of ASIC – give any publicly listed company four days to disclose details of a “material” data breach by filing one or more SEC Form 8-K.
Long used to inform share markets about significant business risks that could change the company’s financial position, use of the 8-K form for notifications – and subsequent amendment forms as more details of the breach emerge – is favoured because it will, the rules note, “allow investors to more quickly identify updates regarding incidents that previously were disclosed.”
Filings will need to describe the “material aspects of the incident’s nature, scope and timing”, as well as describing the incident’s likely impact on the company.
For the purposes of the rules, a cyber security incident is defined as “a series of related unauthorised occurrences” – whether by one threat actor engaging in “a number of smaller but continuous cyber attacks” or many cybercriminals exploiting the same vulnerability “and collectively impeding the company’s business materially.”
The new rules also require companies to describe their processes for identifying and managing cyber security threats, as well as documenting the way their board of directors oversees cyber security risks – and the “role and expertise” of management in evaluating such risks.
“Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors,” SEC chair Gary Gensler said in announcing the new rules.
And while many public companies do disclose details of data breaches, Gensler said, “companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
A year after the policy kicks off at the end of 2023, companies will be required to tag the Form 8-K cyber security risk filings using the Inline XBRL markup language, which the SEC adopted in 2018 and integrated into its publicly available EDGAR search portal as a standardised format for reporting company financial statement information.
Out of the shadows
Having been required to report data breaches to the Office of the Australian Information Commissioner (OAIC) since 2018, breached Australian organisations must inform victims of their potential exposure but are not required to publicly report breaches in any kind of standardised way.
The chronically understaffed OAIC publishes summary statistics but rarely audits data breach responses, limiting visibility of the 1,000 or so breaches reported during a typical year to what analysts can extrapolate or infer.
ASIC has signalled it is increasing scrutiny of “cyber and operational resilience” and expects ASX-listed companies to share news about material breaches – but a recent University of Wollongong analysis found that just 11 of 36 cyber attacks against ASX-listed companies were reported to investors over the past decade.
One Comparitech analysis even found that 58 per cent of companies ignored the firm’s advice that they had been breached – reflecting a corporate culture in which many companies continue to live in denial as they downplay the impact of breaches.
Improving this situation is one of the numerous options canvassed by a government expert panel in a discussion paper guiding the government’s upcoming 2023-2030 update to the Australian Cyber Security Strategy.
The OAIC’s submission supported the idea of a single reporting portal – which would improve visibility of data about NDB breaches but might or might not be available publicly – while KPMG argued that mandatory reporting requirements are important “for policy makers to understand the true impact of cyber incidents on the community”.
Mandatory reporting obligations “[ensure] that we have a much better understanding of what attacks are coming down the pipeline and impacting our critical infrastructure, and by extension, more widely across our economy,” Minister for Cyber Security Clare O’Neil said during a recent speech to industry.
“Importantly, we are also collecting this information so we can also share it with industry to help them be better prepared, and break that cycle of threat.”
Not all organisations agree, however: the Law Council of Australia, for one, said it “generally favour[s] voluntary principles-based governance standards because it is the most agile and responsive approach to managing cyber security risk through corporate governance.”
The new SEC policy – which passed by a close vote of 3 to 2 – even remains controversial in the US, where dissenting SEC commissioner Hester M. Peirce warned that the new rule “[veers] into managing companies’ cyber defences” and “looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.”