The U.S. Securities and Exchange Commission (SEC) has implemented a new rule requiring publicly traded companies to disclose "material" cybersecurity incidents within four business days and submit annual reports on their cybersecurity management. The move aims to offer investors consistent and timely information for informed decision-making. Critics argue that the rapid disclosure timeframe, potential national security risks, and duplicative reporting requirements could pose challenges. Concerns also focus on increased liability for Chief Information Security Officers (CISOs). The SEC emphasizes not prescribing cybersecurity strategies but promoting transparency. Some suggest the rule could intensify the CISO role's challenges, prompting a demand for insurance. The Department of Justice outlines conditions for delaying disclosure, considering unpatched vulnerabilities, sensitive government records, or critical infrastructure remediation.
The U.S. Securities and Exchange Commission (SEC) has implemented a new rule requiring publicly traded companies to disclose "material" cybersecurity incidents within four business days and submit annual reports on their cybersecurity management. The move aims to offer investors consistent and timely information for informed decision-making. Critics argue that the rapid disclosure timeframe, potential national security risks, and duplicative reporting requirements could pose challenges. Concerns also focus on increased liability for Chief Information Security Officers (CISOs). The SEC emphasizes not prescribing cybersecurity strategies but promoting transparency. Some suggest the rule could intensify the CISO role's challenges, prompting a demand for insurance. The Department of Justice outlines conditions for delaying disclosure, considering unpatched vulnerabilities, sensitive government records, or critical infrastructure remediation.