The SEC noted highlighted that whether a company “loses a factory in a fire or millions of files in a cybersecurity incident” it will impact investors.
The rule states that the four-day window of reporting doesn’t officially start until the company has confirmed the breach as material. However, the US Attorney General stated that the delay could be extended beyond 60 days under extraordinary circumstances, such as “a substantial risk to national security or public safety”.
Could This Rule Actually Help Hackers?
The rule was first proposed back in March 2022, when the SEC found that a rise in corporate network breaches and cybersecurity incidents caused an increased cost to investors. This was largely put down to the rise in digital operations and remote working.
Tenable CEO Amit Yoran, leading figure in cybersecurity, praised the new rule in a statement:
“For a long time, the largest and most powerful US companies have treated cybersecurity as a nice-to-have, not a must have. Now it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations.”
The new requirement hasn’t been met with total positivity or confidence everywhere, however. Concerned that hackers could benefit from information on how companies manage their cyber risk, Republican commissioner Hester Peirce stated that the rule overstepped the SEC’s authority and “seems designed to better meet the needs of would-be hackers”.
His statement went on to say that the temptation for the SEC to “micromanage” company operations is likely to increase following this latest requirement.