State lawmakers, Congress, and federal agencies are scrambling to address privacy and cybersecurity matters (and to stake out their own authority for them), among them the SEC. Earlier this year, it released proposed rules relating to how public companies should handle cybersecurity incidents. As part of the normal process, those draft rules are open to the public for comment/advocacy before being finalized by the agency.
One particular item proposed by the SEC has attracted a great deal of comment: a requirement that companies must disclose cyber incidents within four days.
Why it Matters
The SEC is charged with ensuring that information material to investment decisions be available to the public/potential investors. Four days to report an incident is not a lot of time in the lifecycle of a cyber problem, depending on how the final definitions and enforcement shake out; comparable state law reporting requirements often allow 30 days or fail to specify a time frame at all. In the EU, companies that suffer a personal data breach must disclose it to regulators within 72 hours, but that is not the same as having to go public with it. A four-day requirement for public disclosure seems likely to result in a difficult balancing act for affected companies between full investigation and containment of a cyber problem on the one hand, and securities laws on the other.