In an effort to curb the delay in reporting cyberattacks by public companies, the US Securities and Exchange Commission (SEC) has now imposed a requirement to disclose significant cybersecurity incidents within a span of four days. However, a US attorney general may opt to postpone such a disclosure if it’s deemed to pose a substantial threat to national security or public welfare. Despite being a stringent new standard, it is slightly more lenient compared to the EU’s General Data Protection Regulation (GDPR) stipulation that mandates a three-day deadline for reporting cyberattacks.
This development came following significant criticism against Microsoft for taking several weeks to acknowledge an assault on Outlook and other digital services. “We are essentially blind to the repercussions [of the attack] if Microsoft doesn’t reveal that information,” Jake Williams, an ex-NSA hacker and current cybersecurity researcher, expressed to the AP in June.
While the GDPR largely aims to protect the public, the SEC’s focus seems to be on safeguarding investors’ interests. SEC Chair Gary Gensler voiced in a statement, “Currently, many public companies issue cybersecurity disclosures to their investors. I am of the opinion that both the companies and investors would gain if these disclosures were given in a more uniform, comparable, and informative manner.”
Tech companies have consistently opposed the SEC’s regulations ever since their initial announcement last year. This resistance ultimately led to the inclusion of a clause allowing for delays, as reported by Bloomberg. The Information Technology Industry Council has also contended that the four-day deadline is excessively brief, considering that companies might not possess adequate information about the cyberattack in such a short timeframe.
All the products endorsed by BuyTechBlog are carefully chosen by our independent editorial team, separate from our parent organization. Some of our articles may contain affiliate links. If you make a purchase using one of these links, we might receive an affiliate commission. All prices are accurate at the time of publication.
Frequently Asked Questions (FAQs) about Cyberattack Reporting Regulation
What new regulation has the SEC imposed on public companies regarding cyberattacks?
The SEC (Securities and Exchange Commission) has implemented a new regulation requiring public companies to report significant cybersecurity incidents within a four-day deadline.
How does this new SEC regulation compare to the EU’s GDPR rules?
While the EU’s General Data Protection Regulation (GDPR) mandates a three-day deadline for reporting cyberattacks, the SEC’s new rule is slightly more lenient, allowing a four-day window for reporting.
Can the disclosure of a cyberattack be delayed under the new SEC regulation?
Yes, the disclosure can be delayed if a US attorney general deems it would lead to a substantial risk to national security or public welfare.
What was the response of tech companies to this new regulation?
Technology companies have expressed opposition to the SEC’s rules since they were first announced, leading to the inclusion of a clause allowing for delays. Furthermore, the Information Technology Industry Council has argued that the four-day deadline is too short.
Who is expected to benefit from the SEC’s new rule on cyberattack disclosures?
SEC Chair Gary Gensler believes that both companies and investors will benefit from this new rule, as it encourages more consistent, comparable, and informative cybersecurity disclosures.
More about Cyberattack Reporting Regulation
- US Securities and Exchange Commission (SEC)
- EU’s General Data Protection Regulation (GDPR)
- Microsoft Cyberattack Incident
- Information Technology Industry Council
- SEC Chair Gary Gensler’s Statement
- Bloomberg’s Report on Tech Companies Opposition
5 comments
Wow, 4 days? That’s super quick. not sure all companies can manage it. Some attacks are really complex…
Gotta say, EU’s GDPR is still tougher. This is lenient in comparison. US has to step up its game.
This is a necessary step. Investors have a right to knw if the company they’ve invested in has been hit by cyberattack.
Interesting move by the SEC. Balancing national security, investor interests and realistic expectations from companies. Will be intriguing to see how it plays out.
Why just public companies? Private firms also face cyber threats. should be for everyone, right?