New SEC rules take effect Dec. 18, requiring public companies to disclose material impact from cyber events and developments within 4 business days.
New FTC disclosure rules for financial institutions -- including private firms -- scheduled for May 2024.
Cyber attacks on record-breaking pace in 2023 as hackers deploy new tactics and AI.
Now is the time for companies to give communications leaders a seat in the cyber war room.
Companies face the triple reputational threats of tightening federal disclosure rules that will force them to announce certain incidents; an unrelenting surge of cyber-attacks; and increasingly aggressive and sophisticated cybercriminals, who are looking to AI to enhance their exploits – and quick to publicly boast of them.
The Securities and Exchange Commission’s new rules, beginning December 18th, will require public companies to report incidents within four days of identifying “material” impact. Only the SEC knows what “material” means. What is clear is that companies face serious penalties for non-compliance, and one measure of the skittishness in the marketplace has been the growing number of immaterial cyber incidents that companies have reported on Form 8-K in recent years.
The result will be companies filing serial 8-K disclosures throughout incidents, with their reputations and share prices taking hits every time. Because every 8-K is a de facto press release, this new reality will necessitate – from the earliest moments of a suspected incident – synchronized, strategic, and consistent communications to customers, investors, employees and other key stakeholders. For one thing, the new SEC rules encourage companies to factor “reputational damage” into the materiality analysis. Communications professionals are often best-positioned to advise on this issue.
Should companies freeze out communications teams before disclosure, the reputational fallout afterward could become disastrous. Imagine the reactions of workers or customers who learn of incidents through the media, direct contact from the hackers themselves, or through a posting of their most sensitive information online.
Right behind the SEC's new rules are pending new disclosure requirements from the Federal Trade Commission, which will govern private companies as well. Beginning in May, mortgage providers, payday loan companies, and other “non-bank financial institutions” that fall under the FTC’s authority will be required to report incidents in which unencrypted data of at least 500 customers is stolen as soon as possible, and no later than 30 days. While the commission is still finalizing its process, it appears likely it will create a publicly available database of breached companies, just as the Department of Health and Human Services hosts. These 8-Ks and disclosure websites, along with the reports of breaches pumped out by more than 20 state attorneys general, will be a rolling buffet of reputation-tarnishing data from which reporters, analysts and pundits of all stripes will feast.
All this points to one conclusion: companies must anticipate and plan now for a range of cyber-incident scenarios, pressure-test them regularly, prepare messaging and materials, and involve communications strategists in every step of planning and response. Gone are the days when a cyber event was simply a technical inconvenience. Today’s incidents are a public and granular showcase of corporate management, trust, integrity, transparency, and competency, playing out against sophisticated criminals who follow no rules.
The FGS Global cybersecurity team spent much of 2023 helping businesses prepare for incidents and managing these new regulations. A key part of that process has been creating crisis plans for a variety of cyber incident scenarios, then testing them in exercises simulating the new disclosure-rules environment to help crisis working groups build muscle memory they can use in an actual incident.
Such preparations replace confusion with confidence, accelerate response time, and help preserve credibility and reputation with key constituencies, including customers, investors, employees and media.