Delays may be granted over public or national security risks.

In a move to prevent public companies from delaying news about cyberattacks, the US Security and Exchange Commission has set a four-day deadline to disclose "material cybersecurity incidents." A US attorney general could potentially delay that disclosure if doing so would lead to "substantial risk to national security or public safety." Otherwise, the rules will serve as a stiff new guidepost — albeit, one that's slightly less restrictive than the EU's GDPR cyberattack deadline of just three days.

The news comes after Microsoft was criticized by security experts for taking weeks to confirm an attack against Outlook and other online services. “We really have no way to measure the impact [of the attack] if Microsoft doesn’t provide that info," Jake Williams, a cybersecurity researcher and former NSA hacker, told the AP in June.

While GDPR rules are more about protecting the public, the SEC appears to be more focused on investors: “Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said in a statement. "I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."

Technology companies have pushed against the SECs rules since they were initially announced last year, which ultimately led to the inclusion of a delay clause, Bloomberg reports. Additionally, the Information Technology Industry Council argued that the four-day deadline is too short, since companies may not know enough about the cyberattack by then.

Source:
courtesy of ENGADGET

by Devindra Hardawar

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]