Since adopting new cybersecurity disclosure rules in 2023, the Securities and Exchange Commission (SEC) has required publicly listed US companies to report incidents within four days. But does the regulator follow its own rules?
After its official X account was compromised on Tuesday, January 9, the SEC’s credibility as a cybersecurity authority has certainly been damaged.
Having gained control of the regulator’s social media profile, the SEC hacker falsely announced the approval of spot Bitcoin ETFs in the US, causing the cryptocurrency’s price to temporarily spike before the statement was retracted.
Responding to the incident, X reported that an unidentified individual obtained control of a phone number associated with the official SEC account through a third party. It added that the account didn’t have 2-factor authentication (2FA) enabled when it was compromised.
In the wake of the security breach, the SEC has been condemned by senators and ridiculed by the consumers it is charged with protecting, with many questioning how an agency that doesn’t even implement basic security measures like 2FA can be trusted to regulate the cybersecurity strategies of some of the world’s largest businesses.
According to the SEC’s disclosure rules, applicable organizations must report all “material cybersecurity incidents,” i.e. those that are likely to affect their operational performance or financial condition.
Were it bound by the rules itself, the SEC would therefore be required to report any security breaches that threaten its ability to protect investors, maintain market stability or facilitate capital formation. Given the market-moving consequences of Tuesday’s X hack, it’s fair to say the regulator failed on all 3 fronts.
As well as reporting incidents, US businesses must also publish information regarding their cybersecurity risk management strategy annually.
The logic behind the policy is that investors should be able to assess companies’ security practices to identify potential investment risks. In theory, the inclusion of cybersecurity disclosure under the umbrella of SEC bureaucracy allows for the side-by-side comparison of different firms’ strategies.
Presumably, the SEC also has its own cybersecurity framework. But unfortunately, the agency doesn’t follow its own rules. Of course, Lawmakers will surely demand an explanation from the SEC’s leadership, but a brief telling-off on Capitol Hill is unlikely to assuage anyone’s concerns.