Washington –
The U.S. Securities and Exchange Commission approved rules Wednesday to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be allowed if immediate disclosure poses serious national security or public safety risks.
The new rules, passed by a 3-2 vote along party lines, also require publicly traded companies to disclose annually information on cybersecurity risk management and executive expertise in the field. The idea is to protect investors.
Disclosure of violations could be delayed if the U.S. Attorney General decides they will “pose a significant risk to national security or public safety” and notifies the SEC in writing. Only in exceptional circumstances can this delay be extended beyond 60 days.
“If a company loses a plant in a fire-or millions of files in a cybersecurity incident-it could be material to investors,” SEC Chairman Gary Gensler said in a statement, noting the current discrepancy in disclosures.
The rules will put “more transparency into an otherwise obscure but growing risk” and could spur improvements in cybersecurity-though potentially pose a greater challenge to smaller companies with limited resources, Lesley Ritter, senior VP at Moody’s Investors Service, said in a statement.
Technically, the clock doesn’t start ticking on the four-day reporting window until companies have determined that a breach is material.
One of the opposing Republican commissioners, Hester Peirce, complained that the new requirements exceed the SEC’s authority and “seem designed to better meet the needs of potential hackers” who could benefit from detailed information on how companies manage cyberrisk.
Also, Peirce said in a statement, the temptation for the SEC for the company’s “micromanage” operations will only increase.
A leading figure in cybersecurity, Tenable CEO Amit Yoran, wholeheartedly welcomed the new rule.
“For too long, the largest and most powerful U.S. companies have treated cybersecurity as a nice thing, not a necessity. Now, it’s very clear that corporate leaders need to elevate cybersecurity within their organizations,” he said in a statement.
The rules were first proposed in March 2022, when the SEC determined that breaches of corporate networks posed an increased risk as their digitization of operations and remote work increased-and the cost to investors from cybersecurity incidents increased.
While some critical infrastructure operators and all health care providers must report violations by law, there is no federal law on detecting violations.
In a new report released by IBM, researchers found that organizations now pay an average of $ 4.5 million to deal with violations-a 15 percent increase over the past three years. Ponemon Institute researchers also found that affected businesses typically pass the costs on to consumers, who themselves may be victims with personal information stolen in a breach.
The rule’s passage also comes amid slow, often cryptic revelations – some through SEC filings – of a major data breach affecting hundreds of organizations caused by the so-called supply chain hack by Russian cybercriminals of a widely used File Transfer program, MOVEit. The breach has affected numerous universities, major pension funds, US government agencies, more than 9 million drivers in Oregon and Louisiana and companies including the BBC, British Airsiblays, Ernst &Amp; Young and Priceimagaterhousecoopers.
Many victims of MOVEit’s breach were quick to point out that they had been failed by a third-party claim. The new SEC rule includes third-party applications and highlights how companies have increasingly relied on external cloud services for data management and storage.
#rule #SEC #requires #public #companies #detect #cybersecurity #breaches #days