The US Securities and Exchange Commission has put forth a new rule requiring publicly traded companies to disclose cybersecurity breaches within four days, after determining whether the breach is serious enough to be material to investors, according to an article in Reuters. The rules are intended to help the investing public get better information on frequency and costs of cyberattacks and was passed on a party-line vote. An exemption has been written into the rule, to allow for delays if the Justice Department determines releasing public notification of the breach could interfere with national security or police investigations.
Additional rules also require that companies periodically describe their cyberthreat management efforts, in support of a broader SEC effort to improve the robustness of the financial system against cyberthreats. An earlier proposal to require companies to disclose board member expertise in cybersecurity was removed prior to passing, in response to public comments.
Source:
