The Securities and Exchange Commission wants corporate America to tell investors more about cybersecurity breaches and what's being done to fight them. Much more.
The SEC is scheduled to vote today on rules that would require public companies to disclose «material» cybesecurity breaches within four days after a determination that an incident was material.
The SEC says it is necessary to collect the data to protect investors. Corporate America is pushing back, claiming that the short announcement period is unreasonable, and that it would require public disclosure that could harm corporations and be exploited by cybercriminals.
If adopted, the final rules will become effective 30 days following publication of the release in the Federal Register.
Current rules on when a company needs to report a cybersecurity event are fuzzy. Companies have to file an 8-K report to announce major events to shareholders, but the SEC believes that the reporting requirements for reporting a cybersecurity event are «inconsistent.»
In addition to requiring public companies to disclose cybersecurity breaches within four days, the SEC wants additional details to be disclosed, such as the timing of the incident and the material impact on the company. It will also require disclosure of management expertise on cybersecurity.
The pushback from corporate America sounds strikingly similar to the pushback from many of the other rulemaking proposals SEC Chair Gary Gensler has made or proposed: too much.
«The SEC is calling for public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity
Read more on cnbc.com