From ExtremeTech: The US Securities and Exchange Commission (SEC) voted 3-2 Wednesday to shift its data breach disclosure mandates. Under the new rule, publicly traded companies must disclose data breaches within four days if those breaches could be materially impactful.
The clock begins when a company determines that a breach will affect its bottom line. At that time, the affected company will use two items added to Form 8-K, a form used to share material events with investors as required by the Securities Exchange Act, to disclose the breach. One of these items provides space for the company to describe how and when the incident occurred and who or what might be impacted. The other requires the company to describe how it came across, assessed, and managed the breach. This form must be submitted within four days, except in rare cases that pose a significant risk to national security or public safety, in which case the SEC can mandate immediate disclosure.
Because this is the SEC and not a consumer-focused entity like the Federal Trade Commission, the agency is more concerned with how breaches might impact investments than how they could alter users’ lives. “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors," SEC Chair Gary Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
View: Full Article