Stock photo with lock and digital data (Credit: Titima Ongkantong/Shutterstock.com)

The Securities and Exchange Commission's (SEC's) proposed cybersecurity disclosure rules, which would allow investors for the first time to make apples-to-apples comparisons of companies' cyberattack vulnerabilities and defenses, might actually have the unintended consequence of giving bad actors artillery to do more harm.

That was among the common themes in letters that companies, trade groups, and other interested parties submitted to the SEC in response to the March rollout of the proposed rules. Many of the more than 140 letters expressed concern about the rules' requirement that companies disclose material cybersecurity incidents within four days.

That's too tight a window, commenters argued. In some cases, four days does not give companies enough time to fully get their arms around the extent of the attack, and they may not have yet succeeded in cutting off criminals' access to their systems.

Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.

Your access to unlimited Treasury & Risk content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
  • Informative weekly newsletter featuring news, analysis, real-world case studies, and other critical content
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Greg Andrews

Greg Andrews is the editor overseeing ALM Media's coverage of corporate legal departments. He previously was editor of Indianapolis Business Journal and business editor of The Indianapolis Star. Contact him at [email protected]. On Twitter: @Greg_Andr