SEC Weighs New Timeline for Disclosing Cybersecurity Incidents

The agency proposes requiring publicly traded firms to disclose any material data breaches within four days.

Under a new plan from the U.S. Securities and Exchange Commission (SEC), companies would face more pressure to alert the public of hacks or other significant cybersecurity incidents. On Wednesday, the SEC proposed requiring publicly traded firms to disclose breaches within four days. The demands would apply to incidents that are considered “material,” or important to the average investor.

After years of high-profile incidents, this is the SEC’s latest move to prod companies to be more transparent when attacks occur. Last month, the agency proposed requiring investment companies to bolster their cybersecurity systems.

“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in a statement. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

Companies currently rely on 2018 SEC guidance to determine when to disclose incidents; that guidance does not specify a time frame for notifying the public.

In addition to the requirements that publicly traded firms disclose a major incident, the SEC’s new plan would also:

The plan was supported by the commission’s three Democrats. Hester Peirce, the SEC’s only Republican, opposed it, citing concerns that it’d force the regulator to take on too big of a role in regulating computer security and would be too prescriptive for companies.

The proposal will now be subject to public comment. The SEC would have to hold another vote months from now to finalize the rules after taking into account the public’s responses.

Copyright 2022 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.