New cybersecurity disclosure requirements mandated by the U.S. Securities and Exchange will go into force in coming days, requiring companies to disclose cybersecurity incidents, with some exceptions, within four days of their occurrence.

There are two components to the disclosure rules. The first is mandatory cybersecurity incident reporting of “material” incidents. The disclosure of incidents would be via an 8-K form and must be reported within four business days of the incident. The second component requires companies to disclose their policies to manage cybersecurity risk, including providing updates on previously reported material cybersecurity incidents.

The requirements include describing the nature and scope of the incident, the impact on the company’s operations and any remedial actions taken. Additionally, companies must disclose their cybersecurity risk management, strategy and governance in annual reports. Companies are required to describe their policies and procedures to identify and manage cybersecurity risks, the role of the board of directors in overseeing these risks and management’s role in implementing cybersecurity policies and strategies.

The requirement to report a cybersecurity incident within four days is effective starting Dec. 18, while the need to disclose cybersecurity management details in annual reports is effective Dec. 15.

However, not all cybersecurity incidents will be treated the same. According to guidance issued by the Department of Justice earlier this week, companies can delay reporting incidents where there could be national security risks.

Potential risks that would allow a company to delay reporting include where the cybersecurity incident is reasonably suspected of having involved a technique for which there is not yet well-known mitigation, an incident that primarily impacted a system that contains sensitive U.S. government information, or when the registrant is conducting remediation for critical infrastructure or critical system and disclosure revealing the registrant is aware of the incident would undermine those efforts.

Cybersecurity professionals have mostly welcomed the new requirements. Mike Walters, president and co-founder of risk-based patch management company Action1 Corp., told SiliconANGLE that the benefits of these new rules lie in the increasing prominence of cybersecurity.

“It will undoubtedly positively impact cybersecurity enhancement plans in organizations,” Walters said. “Specifically, organizations must now establish a robust cybersecurity risk management strategy subject to regulatory audits. I hope these rules will incentivize greater cybersecurity efforts. Naturally, there will be some initial confusion as companies assess how to navigate the regulations, but everyone will adapt.”

Walters does warn that there is a concern that the disclosures may affect the reputation of companies. “Companies can no longer conceal cybersecurity breaches, which means that any breach can impact their reputation,” Walters added. “They may find that most of their incidents aren’t material and may thus choose not to disclose them, driven by the desire to avoid reputational harm. At the same time, if the law requires the disclosure of minor incidents, it will not necessarily solve this problem either, as this approach could overwhelm regulators with incident reports.”

Mike Scott, chief information security officer at data security company Immuta Inc., also noted that there may be issues, saying that “achieving the SEC’s requirement is not an easy task and there are fears that some situations will put companies in a tough predicament balancing the SEC, legal requirements and protecting themselves and customers against further damage. As a result of this ruling, the need for more in-depth training and certifications for security teams will be spotlighted.”

Sean Joyce, global cybersecurity and privacy leader and U.S. cyber, risk and regulatory leader at PricewaterhouseCoopers LLP, spoke with theCUBE, SiliconANGLE Media Inc.’s livestreaming studio in August, about the new SEC requirements and what companies need to know about them:

Photo: SEC/Flickr