The Securities and Exchange Commission is thinking about requiring publicly traded companies “promptly” to report data breaches and other significant cybersecurity incidents; “promptly” meaning within four days. Targeted companies, further, would be required to provide periodic updates about previous incidents and to report when a series of previously undisclosed, individually immaterial cybersecurity events has become material in the aggregate.
SEC Chairman Gary Gensler:
Cybersecurity incidents, unfortunately, happen a lot. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.
Good to see Captain Sort of Obvious is more or less on top of this. There’s more to it, though, than just investment decisions.
Hacking our businesses aren’t only detrimental to the targeted companies. They’re far too often deliberate, coordinated attacks across industries, and so are threats to our national security. The attacks, even if done in isolation from each other by independently acting criminals (which is what hackers are), far too often aggregate into a threat to our national security.
Requiring reporting within four days is an improvement over the current weeks to months of delay. However, at the speed with which a hack attack can proceed through networks and across the Internet to other networks—especially with the cloud so ubiquitously in the middle—it’s necessary for the attacked business to report the fact of the attack immediately, not some convenient period of time later.
The rule should be expanded, too; although the expansion I suggest would be beyond the SEC’s ken, and so it would need to be enacted by Congress: private companies should be required to report such attacks, also, and just as promptly.