The SEC has just taken a sensible decision about cybersecurity
Following the European Union once again, the US Security and Exchanges Commission (SEC) has issued a final order with the aim of improving and standardizing reporting of cybersecurity incidents, and will be mandatory for all publicly traded companies, requiring them to tell the authorities about security breaches within four days of their discovery, regardless of whether they have been contained or mitigated.
Reports will be submitted via a standardized form on the EDGAR system on the SEC’s website, and the Attorney General will then be able to request in writing a delay in disclosure of up to 30 days when it is believed to represent a substantial risk to national security or public safety. The new rule represents a major change: until now, best practices required cybersecurity incidents to be kept quiet until the attack vector has been contained and the incident closed. Now, companies will be required to report them within four days, regardless of their status.
The report will need to include:
- The date the incident was discovered and its status (ongoing or resolved).
- A concise description of the nature and extent of the incident.
- A summary of all data that may have been compromised, altered, accessed or used without authorization.