August 4, 2023

New SEC breach rules: Thoughts on the 4-day disclosure

The Securities and Exchange Commission (SEC) made a significant decision last week. They voted in favor of implementing fresh regulations that will make it mandatory for publicly traded companies to report cybersecurity breaches in their systems to the government – within four days of determining that the incident will significantly impact their operations.

While the move aims to enhance transparency and accountability for businesses and their shareholders, we asked our team for the hot take. Are four days enough time? And what might public companies do differently? Here are thoughts from Ballistic General Partners Jake Seid and Roger Thornton.

Are four days really enough?

“This timeframe is going to be a challenge on several fronts and may be a bit misleading,” noted Ballistic GP Roger Thornton. “Assuming the notification is *after* determination, then four days is not a big problem. However, it often takes weeks or even months to fully investigate a breach, so those four days would not be as rapid as one would think.” 

“One major problem that companies are going to have is the risk of an SEC inquiry challenging when that determination took place,” Thornton added. “One email early on in an investigation, hypothesizing the extent of the impact, would put a company in a very bad situation.”

How might public companies adapt to the ruling?

“This ruling is going to fundamentally transform the Board of Directors of many companies,” said Ballistic GP Jake Seid. “In a similar way to how boards have brought in deep financial experts as audit committee chairs, public company boards will now need to bring in experts with deep cybersecurity expertise.” 

“Just as financial experts on audit committees provide oversight and checks and balances on financial risk, cyber risk is now shoulder-to-shoulder with financial risk and needs the same level of expertise on the board to provide proper oversight,” Seid added.

How might security product adoption change in public companies?

“This will clearly force adoption of cybersecurity capabilities more evenly across the base of public companies,” suggested Thornton. “Today these capabilities are tipped heavily towards the Fortune 500 – the largest companies in the most heavily regulated industries.” 

“This effort could end up being disruptive and harmful for a lot of companies, including the everyday companies that make up the majority of publicly listed firms. The solutions developed that keep large global financial banks secure, simply won’t scale down to the needs of the Russell 2000,” he went on.

“Innovations will be needed as the broader base of companies across more industries invest in cybersecurity capabilities,” Thornton said. “If this can be managed effectively it will ultimately be a windfall for the entire economy.”