The US Security and Exchange Commission has a four-day deadline to report cybersecurity. There are exceptions governing the new guidelines.
To prevent public companies from delaying news of cyberattacks, the US Security and Exchange Commission has imposed a four-day disclosure deadline for “material cybersecurity incidents.” A US attorney general may delay disclosure if it would “substantially risk national security or public safety.”
The rules will be a new, strict guidepost, but less severe than the EU’s GDPR cyberattack deadline of three days.
Security professionals criticized Microsoft for taking weeks to confirm an attack on Outlook and other online services. In June, a cybersecurity researcher and former NSA hacker, Jake Williams, told the AP, “We have no way to measure the impact [of the attack] if Microsoft doesn’t provide that info.”
While GDPR is more concerned with public protection, the SEC appears to be more concerned with investors. Gary Gensler, chairman of the SEC, stated in a statement that “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Technology companies have opposed the SEC rules since last year, prompting a delay clause. The Information Technology Industry Council also said the four-day deadline was too short because companies may need more cyberattack information.
