The Securities and Exchange Commission's (SEC's) proposed cybersecurity disclosure rules, which would allow investors for the first time to make apples-to-apples comparisons of companies' cyberattack vulnerabilities and defenses, might actually have the unintended consequence of giving bad actors artillery to do more harm.
That was among the common themes in letters that companies, trade groups, and other interested parties submitted to the SEC in response to the March rollout of the proposed rules. Many of the more than 140 letters expressed concern about the rules' requirement that companies disclose material cybersecurity incidents within four days.
That's too tight a window, commenters argued. In some cases, four days does not give companies enough time to fully get their arms around the extent of the attack, and they may not have yet succeeded in cutting off criminals' access to their systems.
Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.
Your access to unlimited Treasury & Risk content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
- Informative weekly newsletter featuring news, analysis, real-world case studies, and other critical content
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
*May exclude premium content© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.