SEC to Public Companies: If You're Hacked, We Need to Know Within 4 Days
Publicly traded companies that suffer a significant hack will need to disclose the incident within four business days, according to new rules from the Securities and Exchange Commission.
The SEC today voted 3-2 to adopt the new rules, which are designed to bolster investor transparency at a time when cyberattacks have become commonplace.
“Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said in the announcement(Opens in a new window). “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Specifically, companies will need to disclose “material cybersecurity incidents they experience," which means hacks that cover a significant amount of money or business. In addition, they will need to report the hack “four business days” after the incident is deemed to be material.
Four days is a short amount of time, but the SEC says(Opens in a new window) the deadline is “workable” since companies will only need to supply an “incident’s basic identifying details and its material impact or reasonably likely material impact.”
The only exception is for computer hacks that affect national security. “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” the SEC says.
If this occurs, a company could delay the breach up to 30 or 60 days.
The other major rule enacted involves a publicly traded company's overall cybersecurity stance. The SEC is requiring firms to describe their efforts to fend off
Read more on pcmag.com
