back to article Crooks pwned your servers? You've got four days to tell us, SEC tells public companies

Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission. The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to …

  1. MachDiamond Silver badge

    Odd this

    The phrase "Without reasonable delay" sorta seems like it should be "Without UNreasonable delay". The timeline is also exceptionally tight if there is a reason that delaying means needing to get permission from any Attorney General's office. They don't often check their emails and it's hard to find a valid address for them in the first place that won't just generate a form letter in response and naught else.

    The other question is what they should report. Teams would first want to identify the path that somebody used to get in, get that patched right away, sort out what might have been compromised and get notifications to affected parties before all of this hits the news. I get it, companies have been waiting months and months before a news of a big exploit is leaked and the company is forced to own up. But, 4 days?

    1. ChoHag Silver badge

      Re: Odd this

      > The phrase "Without reasonable delay" sorta seems like it should be "Without UNreasonable delay".

      I could care less about that.

      Couldn't you?

    2. Yet Another Anonymous coward Silver badge

      Re: Odd this

      So it will become a box-ticking exercise.

      Once somebody posts a "we detected a possible attack and are investigating the impact" statement and it's accepted by the SEC it will become precedent and so everyone will just submit the same statement every time there is a hit on their firewall

      It's like how after 9/11 banks were made to report suspicious transactions and so just flagged almost everything because there were massive penalties for not reporting, but no follow-up if they did

  2. Pascal Monett Silver badge

    Hang on a minute

    "a company can delay filing this report with the SEC if the US Attorney General determines that openly disclosing the intrusion immediately would pose a major risk to national security or public safety"

    How is the Attorny General able to make a decision if the company is delaying its filing ?

    Does it mean that a company should contact the Attorny General immediately and get a decision before deciding to delay the SEC filing ?

    1. James 139

      Re: Hang on a minute

      Good question. I'd have thought any company that poses a risk to either would know they were in that position, by virtue of their operations being of a national security or public safety issue, and therefore have been granted such a dispensation in advance.

      Of course, that would never be abused to delay a filing if the intrusion didnt involve a different, unrelated, part of the operations, would it..

      1. Anonymous Coward
        Anonymous Coward

        Re: Hang on a minute

        Reads a bit like you have 4 days to tell the market unless the police/justice tell you otherwise. And you did call the police right?


        (In reality, good luck getting a call back from my local law enforcement in 4 days for an online attack.)

    2. Lil Endian Silver badge

      Re: Hang on a minute

      Before full analysis of a breach can be completed the cause is deemed "not fully understood". Shirley the assumption must be that it could (ie. will) impact national security and/or public safety - to assume otherwise would be remiss. Reveal a zero day? But, nah! Four days...

      And "national security" --- what about the security of your sister nations, the internet as a whole? "Meh, fuck it!"

      A great example of knee jerk regs by those wanting to look like they're doing their bit and... and.... aaaargh!!

      Perhaps report, but don't publicise FFS.

      [Edit: I see others have posted similar, didn't read down, apols for the hijacking.]

  3. chuckufarley Silver badge

    I knew it!

    El Reg works for the Feds!

    The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business.

    1. MachDiamond Silver badge

      Re: I knew it!

      "any cybersecurity incident that has a material impact on their business."

      That's poorly worded. Often, an attack has a material impact on the company's customers through the release of PII, credit card numbers, inventory of purchases, etc. The company itself may not have had any of its business data stolen (accounting, bank account numbers, executive private contact information, unreleased digital assets, marketing plans, etc).

  4. Claptrap314 Silver badge


    If recent post-mortems are anything to go by, then it is not unusual for it to take more than four days to even stop an active attack. And certainly more to determine the scope of the damage. I am certainly a fan of full and early disclosure, but this feels...premature.

    And yes, likely to make a stock choppy, which is really bad for average investors.

    1. Anonymous Coward
      Anonymous Coward

      Re: WAT?

      Not disclosing until insiders have unloaded their stock is what hurts average investors, which is why insiders stock holders and insider short sellers don't like it.

      1. Marty McFly Silver badge

        Re: WAT?

        Insiders have huge restrictions on when they can trade. They cannot call their broker and sell today. They have to schedule their transactions in advance, cannot coincide with earnings announcements, etc. The further inside they are the longer the lead time and the more the restrictions.

        A better policy would be a mechanism to suspend any new insider trades from being scheduled once an attack is internally uncovered.

        1. Anonymous Coward
          Anonymous Coward

          Re: WAT?

          The way to succeed in insider trading would be to cooperate in sprawling scratch-my-back-and-i'll-scratch-yours networks that enables people who don't look like insiders to behave like insiders.

          1. doublelayer Silver badge

            Re: WAT?

            That happens and works, but regulators look for it and, if they find out, they will punish everyone in the group. Insider trading that goes that way usually leads to tax fraud because you can't explain how you came by the profits of that trade*, and that means that not only will the tax authorities be looking for it, but if you're caught, you'd likely be charged with tax evasion or money laundering in addition to insider trading. So yes, it can be done, but it's risky to attempt.

            * The person who engages in the trade can explain their profits and pretend they didn't know about the internal information. The person who leaked that information, on the other hand, will have to be paid off by that person somehow. If they just buy expensive stuff for the original source, it would be a lot of assets that they didn't earn, and if they pay it in cash, then the tax authorities will expect an explanation of why because it will affect how it is taxed. Not perfect, but it does work.

  5. Anonymous Coward
    Anonymous Coward

    Four Days........Someone, somewhere has a sense of humour! bad guys were exfiltrating data from Equifax for MONTHS......before someone at Equifax woke up!

    So.....four days after they woke up! Pathetic, really.

    What is needed is jail time for people who were (and are, elsewhere, today) asleep at the wheel for MONTHS!


    1. James 139

      Re: Four Days........Someone, somewhere has a sense of humour!

      Does always make me wonder why they suddenly notice "data was accessed" long after the event, assuming it was a one off swipe, rather than an ongoing event.

      If it comes down to reviewing access logs, thats really quite terrible.

      1. doublelayer Silver badge

        Re: Four Days........Someone, somewhere has a sense of humour!

        Yes, that is often it. The malicious party was able to impersonate someone with access and access data in quantities small enough not to set off alarms, or if they're better at the job they disabled the alarms. The main way to figure out what happened is to go into the logs and look at what happened when you know that represented an external attacker, not an internal authorized person or system. More alarms would be useful, and some places are certainly guilty of not having them when they needed them, but sometimes they were there and the attacker managed to bypass them at the time.

        1. Anonymous Coward
          Anonymous Coward

          Re: Four Days........Someone, somewhere has a sense of humour!

          "impersonate someone with access" typically equates to no alarms...

    2. Mike 137 Silver badge

      Re: Four Days........Someone, somewhere has a sense of humour!

      "asleep at the wheel for MONTHS!"

      For much longer than that in fact. The first problem was that, even when alerted to the hazard and provided with a fix in good time, they couldn't find the vulnerable service because there was no centralised inventory to refer to and the list of "responsible parties" was not up to date. The second was that they'd let the decryption certificate on their traffic filter appliance expire so it passed the attack and the exfiltration unchecked. Third, they'd allowed someone to store a plaintext list of server credentials on one of the first servers to be breached, permitting the attack to spread. I'm not sure what else they could have done to ensure they were vulnerable -- not just to this attack but to pretty much anything thrown at them. The underlying cause was a business policy -- prioritisation of service acquisitions over their proper integration and security management.

    3. Marty McFly Silver badge
      Thumb Down

      Re: Four Days........Someone, somewhere has a sense of humour!

      "Hi. We would like to offer you a job in InfoSec. You will be defending our company from all known & unknown cyber security threats and attacks."

      "Sounds good. When do I start?"

      "As soon as possible. Your predecessor just got hauled off to jail because the bad guys got lucky once. We not only made sure his Career Is Over, we ruined his life too. He was a good chap and did the best he could with the budget we gave him. You see, the government has to punish someone, and since they cannot catch the bad guys they now punish the good guys instead."

      "Isn't that like shooting the goalie every time the opposing team scores a point? No thanks, I'll pass on this job."

      1. CrackedNoggin Bronze badge

        Re: Four Days........Someone, somewhere has a sense of humour!

        That happens when it seems possible to get away without reporting and the onus is pushed onto the cyber security director to take responsibility, and the cyber security director accepts it. The case of Uber and Joseph Sullivan, along with strong whistleblower laws, should fix that.

  6. FlamingDeath Silver badge

    If I don’t look..

    If I don’t look then they’re not there, problem solved and cheaper! IF Until they say Boo! that is

    1. DJV Silver badge

      Re: If I don’t look..

      Aha, the ol' "Monster Under The Bed" tactics!

  7. Anonymous Coward
    Anonymous Coward

    4 days is good

    But only if the nat-sec companies have 8 days.

  8. Lil Endian Silver badge

    The Board's Role In Cyber Risk Management

    Get CISOs, CSOs, CTOs and CIOs etc that you trust, give them the budget they say they need, fuck off to the golf course.

    1. Claptrap314 Silver badge

      Re: The Board's Role In Cyber Risk Management

      Yes, but even that seems to be far to much to expect of many companies.

  9. Mike 137 Silver badge

    "First: get educated about key topics

    Second: engage with the CISO and other C-Suite leaders to better understand security gaps and resource needs

    Third: "Stay informed about ongoing reporting activities, ask questions, and work with the CISO and other leaders to understand cyber risk metrics"

    That's a summary of what ISO 27001 clause 5.1 "Leadership and commitment" says, but it hasn't apparently had much general effect so far. The average time to detection for security breaches is still in the order of several months, so it's hard to see how this new regime is going to work in practice.

    1. Anonymous Coward
      Anonymous Coward

      The average time to the "reported" detection date.

  10. MacGuffin

    Beware SCOTUS and the Major Questions Doctrine

    All one of those hacked companies has to due is file a lawsuit claiming the SEC has exceeded their authority and SCOTUS will decide against SEC under the made-up Major Questions Doctrine.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like