U.S. companies can no longer release quiet, belated information about data breaches.
The Securities and Exchange Commission released new rules yesterday requiring U.S. companies to report data breaches and other cybersecurity incidents within four days.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a press release. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The SEC ruling goes on to say that the four-day rule can be delayed if the U.S. Attorney General decides that sharing the cybersecurity incident “would pose a substantial risk to national security or public safety.”
This decision, which passed by a 3-2 vote along party lines according to the Associated Press, doesn’t come as a complete surprise. As 9to5Mac reported, In Europe, companies have to disclose data breaches within three days. And true SEC heads will remember that the new rules were originally proposed a year ago, in March 2022, when the SEC noticed an increase in cybersecurity risk as so many U.S. companies started allowing employees to work from home. Currently, U.S. companies often fail to tell customers that their company has been hacked until months after the hack — just look at the way T-Mobile and Twitter handled their recent data breaches.