Feds brace for implementation of SEC cyber disclosure rules

The U.S. government is readying to implement contentious new disclosure rules for digital attacks that could both create headaches for the private sector and law enforcement and shed invaluable light on the state of ransomware and online threats.

On December 18, a rule passed earlier this year by the Securities and Exchange Commission will go into force that in most cases requires public companies to disclose when they have experienced cyber incidents no later than four business days after they determine the intrusion will have a material impact on operations.

The obligation has prompted massive backlash from industry, which has argued that the requirement is too onerous for such a brief timeframe, and from Capitol Hill, where Republican lawmakers have introduced legislation that would repeal it altogether.

Nonetheless, agencies have begun preparing to execute the SEC directive, including allowing possible exemptions.

The Justice Department on Tuesday issued guidance on how it will determine whether companies qualify for disclosure delays — specifically when the Attorney General determines that the disclosure would pose a threat to public safety or national security. It details several categories of circumstances where the department believes that standard might apply.

The explanation comes days after the FBI released its own exemption policy.

A ‘flexible’ rollout

It remains unclear what the full impact of the new policy will be or how much incident information will flow between the private and public sectors.

“The bottom line is we do not know what that volume will be,” a senior FBI official told reporters during a conference call on Wednesday.

“It’s something that has kept us very much front of mind in terms of needing to remain flexible in terms of our processes, to be loyal and allegiant to what we're committing to victims, but also to not understanding volume and how that can drive resource demands throughout the U.S. government,” said the official, who spoke on the condition of anonymity.

Similarly, a senior DOJ official said it’s unknown how many exemptions will be provided.

“In our discussions, we have generally thought that the grounds for meeting the exception is not going to be met all that often,” they said.

The senior FBI official noted the bureau’s Cyber Watch, or “CyWatch,” operations center would act as the centralized intake point for the agency, which in turn would share information throughout the federal government. They later declined to say if more analysts had been hired to staff the hub.

One concern about the new SEC mandate is that threat actors may aim to weaponize it against victims. Just last month a ransomware gang struck financial software company MeridianLink and touted its successful attack before the firm could inform the agency

“We would expect no different than any other lever of extortion that's available to the threat actor that they will try to leverage this,” the FBI official said. “We would just point all victims or potential victims or companies back to security fundamentals that are so important to prevent” intrusions.

It also remains to be seen if the new disclosure rule will help inform federal officials of the state of digital attacks on the country as a whole.

“We know that there is ubiquitous underreporting of cybersecurity incidents, and that diminishes our ability to help victims, our ability to provide effective guidance, our ability to understand adversary trends and drive broader risk reduction at scale,” a senior Cybersecurity and Infrastructure Security Agency official told reporters.

That said, agencies believe “more reporting, more visibility is a net benefit to the cybersecurity community,” the official added, noting the rule is not a replacement for voluntary reporting to CISA or the FBI.

The CISA official said federal officials want to make the submission process “as frictionless and seamless” for organizations “given the strict timeline and the SEC rule and to ensure that the broadest possible array of perspectives are brought to bear so that the eventual decisions account for the circumstances of the intended victim.”

For their part, the FBI official declined to comment on the congressional pushback against the commission’s rule

“What I will say is that we feel we have an affirmative obligation to those organizations in the United States that are regulated by the SEC to produce transparent guidance about our process responsive to the SEC rule,” they said.

“We're certainly open to remaining flexible as things unfold in the first couple of months of the rollout of this delay provision.”