New SEC Rule Requires Public Companies to Disclose Cybersecurity Breaches in 4 Days

For this week’s post, I wanted to focus on a brand new organization within the government that is taking a much more proactive approach when it comes to Cybersecurity: The Securities and Exchange Commission (or more better known as the SEC). The SEC on Wednesday, July 26th adopted rules to require public companies to disclose within four (4) days all cybersecurity breaches that could affect their bottom lines. There were a couple of exceptions that were provided including if the immediate disclosure poses serious national security or public safety risks.

Personally, this is a very novel approach / tactic that could have ramifications on the adoption of cybersecurity measures. Tying cybersecurity to financial disclosures make it easier for the government to now be able to hold these corporations accountable if they are not providing disclosure of these types of attack shortly after it happens. It will also force companies to spend more on cyber hardening their systems and infrastructures to minimize the amount of times they will have to publicly announced that their was a breach in their systems.

There are a couple of follow questions that I do have: what would be the minimum threshold for a “cybersecurity breach” that would constitute a notification (one versus two versus one hundred)? Is this more of a quantitative threshold that needs to be met (breach over $1 million worth of data)? What would be the definitions used for “serious national security” or “public safety risks”?