The Securities and Exchange Commission issued a new ruling this Wednesday, requiring companies to share data breaches with the public within 4 days of the initial breach.
With a bipartisan vote of 3-2, the new laws barely got through. While it seems strict, if the information that would be disclosed is a threat to national or public safety, the company can first reach out to the SEC and request a delay in disclosure up to 60 days, but anything over 60 days will only be accepted under extraordinary circumstances.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” says SEC Chair Gary Gensler.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”
The US has been ramping up its efforts to defeat cybersecurity risks across the board as the annual number of data breaches, cyber incidents, and hacks increases year after year and is supported by business managers, CEOs, and lawmakers alike.
Earlier this year, the MOVEit file transfer service was hacked, leading to a global incident that’s still unfolding to this day, with hundreds of companies and even government entities coming forth about the breach. This new rule comes at the same time this event is still playing out.
This isn’t to say there is no adversity at all.
“Although citing investor protection as its intent,[20] the Commission exhibits little concern for the costs its new rules will impose on investors,” says Republican Commissioner Hester Pierce, stating that the rules “seem designed to better meet the needs of would-be hackers,” by providing hackers with faster updates and more information.
While it’s fair to remain skeptical, the new laws are still supported by the majority of lawmakers and will be enacted 30 days after publication in the Federal Register.