This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

SEC's Proposed Four-Day Breach Reporting Rule Comes Under Fire

State lawmakers, Congress, and federal agencies are scrambling to address privacy and cybersecurity matters (and to stake out their own authority for them), among them the SEC. Earlier this year, it released proposed rules relating to how public companies should handle cybersecurity incidents. As part of the normal process, those draft rules are open to the public for comment/advocacy before being finalized by the agency.  

One particular item proposed by the SEC has attracted a great deal of comment: a requirement that companies must disclose cyber incidents within four days.  

Why it Matters

The SEC is charged with ensuring that information material to investment decisions be available to the public/potential investors. Four days to report an incident is not a lot of time in the lifecycle of a cyber problem, depending on how the final definitions and enforcement shake out; comparable state law reporting requirements often allow 30 days or fail to specify a time frame at all. In the EU, companies that suffer a personal data breach must disclose it to regulators within 72 hours, but that is not the same as having to go public with it. A four-day requirement for public disclosure seems likely to result in a difficult balancing act for affected companies between full investigation and containment of a cyber problem on the one hand, and securities laws on the other.  

The agency proposed in March that publicly traded companies disclose cybersecurity incidents through Form 8-K, which covers material developments that occur between a business's quarterly or annual filings, such as declarations of bankruptcy or entering into major sales contracts. But mandating that companies apply the same four-day reporting standard to disclosing active cybersecurity episodes, using public statements often cited in post-breach lawsuits, will likely leave investors with more questions than answers and could jeopardize probes by tipping off attackers that a victim is aware of their activities, breach victim advisers claim.


data security and privacy, hill_mitzi