SEC: Public companies must report cyberattacks within four days
Delays may be granted over public or national security risks.
In a move to prevent public companies from delaying news about cyberattacks, the US Security and Exchange Commission has set a four-day deadline to disclose "material cybersecurity incidents." A US attorney general could potentially delay that disclosure if doing so would lead to "substantial risk to national security or public safety." Otherwise, the rules will serve as a stiff new guidepost — albeit, one that's slightly less restrictive than the EU's GDPR cyberattack deadline of just three days.
The news comes after Microsoft was criticized by security experts for taking weeks to confirm an attack against Outlook and other online services. “We really have no way to measure the impact [of the attack] if Microsoft doesn’t provide that info," Jake Williams, a cybersecurity researcher and former NSA hacker, told the AP in June.
While GDPR rules are more about protecting the public, the SEC appears to be more focused on investors: “Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said in a statement. "I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."
Technology companies have pushed against the SECs rules since they were initially announced last year, which ultimately led to the inclusion of a delay clause, Bloomberg reports. Additionally, the Information Technology Industry Council argued that the four-day deadline is too short, since companies may not know enough about the cyberattack by then.
