SEC Proposes Four-Day Breach Notification Rules
The US Securities and Exchange Commission (SEC) has proposed new rules designed to increase transparency around cybersecurity incident reporting.
The regulator wants listed companies to disclose a “material cybersecurity incident” within four business days of discovery. Although all states have laws forcing businesses to disclose data breaches, they typically don’t extend to incidents where personal information isn’t taken.
SEC chair, Gary Gensler, said the regulator’s disclosure regime needed to change to reflect evolving risk and investor needs.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” he added.
“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
Other proposals include a requirement to provide updates on previously disclosed incidents and to disclose when “a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.”
It’s unclear what constitutes “material” in this context.
The SEC also proposed that registrants describe their policies and procedures for identifying and managing cyber risk and describe the board’s role and expertise in overseeing, assessing and managing these risks and implementing said policies, procedures and strategies.
As part of this effort, listed firms will be required to list those board members with cybersecurity expertise, including their experience in the field.
Ray Kelly, a fellow at NTT Application Security, welcomed the move as an attempt to standardize breach reporting and hold public companies accountable.
“The current policies – which do not specify a timeframe to report cybersecurity incidents to the public – have essentially allowed companies to disclose this critical information on their own merit, which could affect stock price or mergers and acquisitions,” he added.