The Securities and Exchange Commission has adopted rules to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines
WASHINGTON — The Securities and Exchange Commission adopted rules Wednesday to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be permitted if immediate disclosure poses serious national security or public safety risks.
The new rules, passed by a 3-2 vote along party lines, also require publicly traded companies to annually disclose information on their cybersecurity risk management and executive expertise in the field. The idea is to protect investors.
Breach disclosures can be delayed if the U.S. Attorney General determines they would “pose a substantial risk to national security or public safety” and notifies the SEC in writing. Only under extraordinary circumstances could that delay be extended beyond 60 days.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement, noting the current inconsistency in disclosures.
The rules will put “more transparency into an otherwise opaque but growing risk” and may spur improvements in cyber defenses — though potentially posing a bigger challenge for smaller companies with limited resources, Lesley Ritter, senior VP at Moody’s Investors Service, said in a statement.
Technically, the clock doesn't start ticking on the four-day window for reporting until companies have determined a breach is material.
One of the dissenting Republican commissioners, Hester Peirce, complained that the new requirements overstep
Read more on abcnews.go.com