Experts Say Hackers Could Benefit From SEC Cyber Incident Reporting Rules

Harley Geiger, a counsel at the Center for Cybersecurity Policy and Law, said the Securities and Exchange Commission’s new cyber incident reporting policy could put businesses at greater risk.

On Wednesday, the SEC approved rules that give public companies four days to reveal breaches classified as material to investors. Such disclosures will be publicly viewable through the commission’s 8-K forms.

According to Geiger, making such information easily accessible could notify other hackers of system vulnerabilities that may still be unaddressed given the four-day timeline. He added that ongoing attacks could intensify if their perpetrators learn of the incident reporting.

The SEC rule allows for extensions to the disclosure period if the U.S. attorney general determines potential risks to national security or public safety.

Meanwhile, Safe Security CEO Saket Modi warned that most businesses could have difficulty complying because they lack the capacity to determine whether a breach is material, CyberScoop reported Wednesday.

The Atlantic Council’s Cyber Statecraft Initiative recently released a report supporting the SEC’s new policy, saying it would benefit decision-making by investors and lead to accessible and standardized cyber incident data.