The U.S. Securities and Exchange Commission (SEC) has announced a delay in finalizing rules that would require publicly traded companies to disclose material cybersecurity incidents within four business days of discovery. Originally expected to release the rules on April 3, final action is now anticipated in October due to significant pushback. The proposed regulations also demand information on the cybersecurity competency of board members.
Stakeholders, including the U.S. Chamber of Commerce, criticized the SEC for potentially micromanaging corporate cybersecurity and questioned the feasibility of the four-day disclosure deadline. The cybersecurity industry generally supports the rules, with some exceptions like Rapid7, expressing concerns about the potential negative impact of public disclosure on cyber incident mitigation.
The U.S. Chamber of Commerce, representing various industry lobbying organizations, accused the SEC of overreach in attempting to micromanage corporate cybersecurity programs through compliance-based reporting. The criticism focused on the perceived inadequacy of the four-day disclosure window, arguing that companies need more time to accurately assess incident severity. The Chamber also opposed the requirement for corporate boards to disclose members with cybersecurity expertise. Despite this, the cybersecurity industry, with notable exceptions like Rapid7, generally supports the SEC’s rules. Rapid7, in particular, emphasized the potential harm to investors resulting from public disclosure of unmitigated cyber incidents.
The Digital Forensic Research Lab, while providing qualified support for the rules, suggested modifications, such as allowing firms to delay reporting ongoing or uncontained cyber incidents for up to 30 days. The organization also proposed exceptions for incidents affecting national security. It believes that the SEC’s rules, with their combination of public disclosure, broad applicability, and standardized reporting, would enhance cybersecurity transparency beyond existing requirements. On the other hand, the Electronic Privacy Information Center (EPIC) expressed support for the establishment of incident response and minimum data breach reporting requirements for specific financial entities. EPIC emphasized the need for notifications to provide consumers with sufficient information to understand and address the situation effectively.
