Security and Exchange Commission’s Ruling on Cyber Incidents (CFR 17)

Keywords: SEC, CFR 17, Cybersecurity, Incident Reporting, WannaCry, Petya, EternalBlue, ARC Advisory Group.

Overview

The Security and Exchange Commission (SEC) has recently reviewed and cleared a ruling to move forward on a new rule to be implemented later this year, with a deadline of June 2024 to all US companies to disclose their cybersecurity incidents, as well as their cyber and risk management practices. This ruling has led to several cybersecurity experts extolling the merits and flaws inherent within this ruling. Nonetheless, companies are always interested in how new legislation will affect business operations. This Insight provides a brief background of events, an overview of the proposed ruling, and discusses some of the criticism leveled at the regulation. 

Data Breaches and Ransomware: History of a Problem

Data breaches, alongside ransomware, are an increasing threat to cybersecurity teams around the world and have continuously made headlines as companies fall victim to breaches. For instance, in 2021 the Colonial Pipeline cyberattack, a data breach paired with ransomware, resulted in the pipeline being forced to shut down for almost a week. The attackers specifically hit the billing system of Colonial Pipeline forcing a shutdown of service while the company assessed access and damage to their systems and network. 

The company paid 75 bitcoins at the time to get a piece of decoding software from the hackers that was so slow in restoring content that Colonial Pipeline had faster success with using its internal backups and business continuity software. Still, the attack caused a widespread panic buying effort amongst consumers and affected the cost of gas for more than a month, trickling down to everything else in the consumer industry. 

In 2017, two of the largest ransomware attacks happened one after another. The WannaCry and the Petya attacks made headlines around the world, occurring within a month of each other. Both used an exploit known as EternalBlue, which was leaked a month after Microsoft released an update patch specific to the exploit. Still, many companies did not adopt the patch in time, and as a result several large companies throughout the globe were hit. Estimates put the two ransomware attacks at roughly $10-15 billion in damages globally. The targets of the two attacks included: 

1. NHS of the United Kingdom 

2. Merck, the US drug company 

3. FedEx, US logistics company 

4. DHL, Germany logistics company 

5. Hitachi, Japanese conglomerate 

6. Honda, Japanese manufacturer 

7. Petrobras, Brazilian petrochemical company 

8. Boeing, a US aerospace company 

Given the ever-increasing nature of cyberattacks targeted at industrial companies, including data breaches and ransomware, there has been a serious uptick in looking into regulatory options to help bring the baseline for cybersecurity to new standards. 

The Ruling As It Stands Presently

The Security and Exchange Commission (SEC) has recently ruled in favor of a change to companies reporting standards to help amend some of the cybersecurity issues that have plagued shareholders and customers of companies increasingly in the last few years. The SEC CFR 17 ruling is going into effect later in December of this year, with smaller companies having an enforceable deadline of June 2024. The SEC ruling is seeing additional requirements for companies to disclose their yearly, quarterly, and special notice filings. 

ARC Advisory Group clients can view the complete report at the ARC Client Portal. 

Please Contact Us if you would like to speak with the author.

You can learn more about cybersecurity at Industrial Cybersecurity Market Analysis Research