The US Securities and Exchange Commission (SEC) has announced a new rule that requires public companies to disclose any security breaches within four days.
The time limit is specifically set for any breaches that could affect a company’s bottom line. Delays will be permitted for anything that poses a threat to public safety or national security.
The new rules also require publicly traded companies to share information on their cybersecurity risk management and any cybersecurity expertise their executives hold.
These new rules aim to provide transparency into the growing risk of data breaches and will hopefully push companies to bolster their cyber defenses.
Before now, no federal breach disclosure law has existed. Only healthcare providers and some critical infrastructure operators have been required by law to report them.
The rule states that the four-day window of reporting doesn’t officially start until the company has confirmed the breach as material. However, the US Attorney General stated that the delay could be extended beyond 60 days under extraordinary circumstances, such as “a substantial risk to national security or public safety”.
The new SEC rule includes third-party apps and acknowledges the increased reliance companies have on outside cloud services for data and storage. These, in part, have been attributed to the rise in costs that companies face when dealing with cybersecurity incidents.
With the number of cybersecurity victims increasing from 62m to 157m in the first half of this year alone. This could include anything from having their social media account hacked into or their bank information being compromised.
As well as a decreased risk for investors, it’s hoped a reduction in consumers hit by incidents will also be seen if the SEC’s ruling is to work as expected.