SEC adopts a 4-day rule for cybersecurity breach disclosures

SEC

The SEC adopted new rules this week requiring public firms to disclose all cyber breaches that could affect their bottom lines within four days.

Exceptions to the rule apply only in cases where immediate disclosure would significantly jeopardize national security or public safety.

The new regulations specify that a delay in breach disclosure is permissible if the U.S. Attorney General identifies substantial national security or public safety risks and informs the SEC in writing. Nevertheless, these exceptional circumstances would not extend the disclosure delay beyond 60 days.

SEC Chair Gary Gensler emphasised the importance of this policy, saying that cybersecurity incidents could be as crucial to investors as any other significant operational disruption. Lesley Ritter, senior VP at Moody’s Investors Service, stated the rules would increase transparency about a growing yet largely unseen risk and could encourage enhancements in cybersecurity, albeit presenting challenges for smaller companies with limited resources.

The four-day disclosure window begins only once companies have determined a breach’s materiality. However, Hester Peirce, a dissenting Republican commissioner, has voiced concerns that the rules could inadvertently assist potential hackers by providing detailed information about corporate cybersecurity measures.

Welcoming the new rule, Tenable CEO Amit Yoran said it would underscore the need for business leaders to prioritise cybersecurity within their organisations. The directive was initially proposed in March 2022 due to increasing risks associated with corporate network breaches, particularly given the surge in remote work and digital operations.

According to a new report by IBM, organisations now spend an average of $4.5m on breach management, marking a 15% increase over the past three years. The researchers also found that businesses often pass these costs on to consumers.

The SEC ruling, encompassing third-party applications, comes in the wake of a large-scale data breach caused by a supply chain hack on the widely used file transfer program, MOVEit. This breach affected hundreds of organisations, including prominent ones like the BBC, British Airways, and PricewaterhouseCoopers, highlighting the increasing reliance on external cloud services for data management and storage.

Copyright © 2023 RegTech Analyst 

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.