SEC Mandates Public Companies to Disclose Cyberattacks Within Four Days
The US Security and Exchange Commission has implemented a new regulation to prevent public companies from withholding information about cyberattacks. Under this rule, companies must disclose any significant cybersecurity incidents within four days. However, if a US attorney general believes that disclosing the information could pose a significant threat to national security or public safety, they may delay the disclosure. While these rules are a strict guideline, they are slightly less stringent than the European Union’s General Data Protection Regulation (GDPR), which requires disclosure within three days.
The news comes after security experts criticized Microsoft for taking weeks to confirm an attack against Outlook and other online services. “There’s really no way for us to measure the impact [of the attack] if Microsoft doesn’t provide this information,” cybersecurity researcher and former NSA hacker Jake Williams told the AP in June.
While the GDPR rules are more about protecting the public, the SEC appears to be more focused on investors: “Currently, many public companies provide cybersecurity information to investors,” SEC Chairman Gary Gensler said in a statement. “However, I believe that companies and investors would benefit from this announcement being made in a more consistent, comparable and decision-making manner.”
Tech companies have resisted the SEC rules since they were originally announced last year, which eventually led to the inclusion of a delay clause, Bloomberg reported. In addition, the Information Technology Industry Council felt that the four-day deadline is too short, as companies may not know enough about the cyber attack by then.