July 27, 2023

The Securities and Exchange Commission (SEC) of the United States has established new regulations requiring public firms to disclose cybersecurity breaches within four days if they potentially have an impact on the company’s bottom line. The guidelines also compel businesses to provide information on their cybersecurity risk management and leadership experience in the subject on an annual basis.

The new guidelines were approved 3-2 along party lines. The Republican commissioners who voted no contended that the restrictions exceeded the SEC’s power and may benefit hackers. According to advocates, the limits are necessary to protect investors from the financial risks of cybersecurity breaches. They also noted that the legislation will help companies strengthen their cybersecurity operations. While another party claim that the new rules go beyond the SEC’s power and “appear to be designed to better meet the needs of would-be hackers,” who may benefit from extensive information on how corporations handle cyberrisk.

According to the rule, breach disclosures may be postponed if the US Attorney General decides they represent a significant danger to national security or public safety and informs the SEC in writing. Only in exceptional circumstances may that delay be prolonged over 60 days.

The new rules will go into effect 30 days after they are published in the Federal Register. The rules will be enforced by the SEC’s Division of Enforcement. Companies that fail to comply with the rules could face civil penalties.

The sources for this piece include an article in CTVNews.