SEC Proposes Rules to Combat Cyber-Attacks

Markael Butler

Associate Editor

Loyola University Chicago School of Law, JD 2024

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. In an attempt to further protect against cybersecurity attacks and increase cyber transparency among issuers and investors President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Before CIRCIA goes into effect, it requires the Cybersecurity and Infrastructure Security Agency (CISA) to complete mandatory rulemaking activities, to develop/publish a Notice of Proposed Rulemaking (NPRM), and a final rule. The SEC proposal and CIRCIA both have different implications, but both will increase cybersecurity regulations and procedures, even making employees more conscious of potential attacks.

SEC proposal and cybersecurity

Cyber attackers do not disfavor one group over another. Individual citizens, governments, and corporations have all been victims of such attacks. For this reason, increased transparency and regulations for cybersecurity measures are beneficial to everyone, as it helps protect against financial loss, customer data loss, and internal/external threats. The new SEC proposal would mandate reporting from public companies about current and previously reported material cybersecurity incidents. Once a public company has experienced a material cyber incident, the incident must be disclosed to the SEC within four business days. With respect to the SEC’s proposal effect on securities law, information would be material if “there is a substantial likelihood that a reasonable shareholder would consider it important” or if it would “have significantly altered the ‘total mix’ of information made available.” There is an objective approach taken within the specific circumstances of the incident.

The new SEC proposal will also require an increase in oversight by the board of directors and the policies and procedures implemented to combat cyber-attacks. If a member of the board does have expertise in the companies cybersecurity practices, “the registrant would have to disclose the name(s) of any such director(s), and provide such details as necessary to fully describe the nature of the expertise.” One would hope that sensible corporations have already taken steps to protect their data. This rule would require public companies to strengthen their cybersecurity procedures and additionally hold them accountable, with regulatory fines or legal judgments, for not taking the appropriate steps to protect the highly sensitive information of their stakeholders and investors.

CIRCIA reporting requirements

CIRCIA requires companies that are in critical infrastructure sectors to report that there was a “reasonable belief” that a covered cyber incident has occurred within 72-hours and to report ransom payment within 24-hours of the payment. A critical infrastructure sector would include financial services, healthcare, energy, and emergency services. As the rule will take some time to go into effect, the director of CISA will have to incorporate and develop the proposed rules implementing the reporting requirements and define the terms used in the rule, such as “reasonable belief” and “covered cyber incident.”

How will these proposed requirements help prevent attacks

Several cyber-attacks have occurred this year. Hackers have utilized adversary-in-the-middle phishing techniques targeting credentials for Microsoft email services. Medallion, Inc. suffered a data breach in which the names and social security number of certain individuals were taken. There exists an increased concern about data security and the risk that hackers could infiltrate corporations databases obtaining sensitive data. Companies need to ensure their employees are also aware of the different ways hackers will use them as pawns in their schemes. For example, companies need to educate their employees against social engineering.

A social engineering attack generally involves a hacker impersonating another company that the employee’s company might work with or an executive of the company they work for. An attack could be something that has been months in the making. Hackers can get inside of company’s emails and start to watch who’s emailing who and what those emails entail. Eventually they will choose a victim and send them an email, slightly changing the email address of an executive or someone they know. Often, they will then instruct the employee that X account number has changed and that they need to send Y amount of dollars to a new account immediately. An unsuspecting employee may comply without even ever considering the possibility that they could be taking part in a scam.

While companies have started educating their employees on social engineering, it remains vital that regulations and procedures, like the SEC proposal and CIRCIA, are designed to guide companies on how to defend against and respond to these types of cyber-attacks. The SEC proposal would require reporting of past material cyber-security incidents, which would give a greater knowledge on what type of attacks to look for and how to combat them. The 72-hour reporting rule from CIRCIA also allows for quicker transparency amongst companies, as it helps the SEC to learn of new ways a company has been attacked and pass that information on to other companies.

Ultimately, companies are becoming more aware of these types of attacks and how to combat them, like through the use of multi-factor authentication and anti-phishing defenses. Moreover, the SEC’s new proposed regulations and CIRCIA are helping to support these efforts. Combined, these efforts will hopefully lead to a safer work environment, both for companies and for the people who invest in them.